23542300x8000000000000000132718349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:10.320{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3672A52A1BA5E7C4C46DD3E435E3BB9,SHA256=A13ED883E2C693DD6C88E73DA99340FB4A3F8F17DAF4ABDB283788A357E7FF78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847248Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:10.039{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F09C713A0BFF2DD2081173B087473BA7,SHA256=9F81A518350ECF9E532D2F21E0B3FCF7C041990B4333F3ED193E796AA7BD49C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:11.367{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97239E5AED37C35FD19FCD104697E235,SHA256=1678EF4D4570D21A9C6F313D20506C01E5C6476104B2B2CC4A6676B9AF49D70B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847249Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:11.054{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35F181863C2F496547D1CCA6CDB0F882,SHA256=535FCBF406351FDA23343273A682E9EBFC08D114C3C302CB87731E2E36D74E35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:11.038{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3611BA9243DF7632EF69A43F4E8106C2,SHA256=2ED161F79E148AF770E58E55404C92713A4389270F92B304DA8187F6A541AD50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:12.773{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A66E98C202D42B43AB1E8B5B5E09F67B,SHA256=F73D08D67F7D343DDA2F3E88135FCCC5DAA8F070E0B3050488B7118EA612ABFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:12.398{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D94F81C20F410D1E95CCCEA4BE1E6AB,SHA256=B5550AD31EA38AC8746DBF2EB56013DFFCEC8342AEC4EC1CDC2B21E813635DBE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064847251Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:10.980{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52859-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000064847250Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:12.084{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41472CF08A3F27FBD4535F78CAA1AB21,SHA256=31036D02914FCD23C0939C90DAD1E2FACBB3D20A2EDD68952AFDBF262513C5A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847252Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:13.167{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FED12E4C726E226E01D392E421635CE7,SHA256=28B217C7B897B0BF8B6BD5674AD7B71E4598505203B1886F6BE1DB99818ED4E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132718411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.664{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000132718410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.664{3BF36828-52AD-61BA-5109-01000000CE01}24363732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132718409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.664{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000132718408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.664{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000132718407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.507{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000132718406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.507{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000132718405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.507{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000132718404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.492{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000132718403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.492{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000132718402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.492{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000132718401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.492{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000132718400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.492{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000132718399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.492{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000132718398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.492{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000132718397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.492{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000132718396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.492{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000132718395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.476{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000132718394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.476{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000132718393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.476{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000132718392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.476{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000132718391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.476{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132718390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.476{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000132718389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.476{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000132718388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.476{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000132718387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.476{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000132718386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.476{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000132718385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.476{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000132718384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.476{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000132718383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.476{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000132718382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.476{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000132718381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.476{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000132718380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.476{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000132718379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.476{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000132718378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.476{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000132718377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.476{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000132718376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.476{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000132718375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.476{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000132718374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.476{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000132718373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.476{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000132718372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.476{3BF36828-8530-61B1-3C00-00000000CE01}36683688C:\Windows\system32\conhost.exe{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132718371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.476{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000132718370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.476{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000132718369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.476{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000132718368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.476{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.476{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132718366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.476{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000132718365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.476{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.476{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.476{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.476{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.476{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.476{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.476{3BF36828-851C-61B1-0500-00000000CE01}412428C:\Windows\system32\csrss.exe{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000132718358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.476{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.476{3BF36828-852F-61B1-3500-00000000CE01}25683752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000132718356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.446{3BF36828-52AD-61BA-5109-01000000CE01}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-851D-61B1-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000132718355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:39:56.200{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60052-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132718354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:13.429{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=809F204E91990851B1C064BE55B1B35A,SHA256=7A1251807941197E0E60BE2E66CB7BB15A0C40E34629F9894BF7CA12EE60369D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847253Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:14.182{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EFEF0B2F9264E086574E3A8F56FE5EC,SHA256=44EF3D8B248110C5512DB3DA19D866E433F93DEDDB46B713E5459F3085F45814,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.992{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC7C5EBCA72D121A24D12C6F865A941B,SHA256=A4DE98D25E56571DB4A26C62960B8EE756C290CBE137A31DEBF28844227DD1EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.929{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC28F17F2D221E97F255E705235E2A35,SHA256=5A1C084D44D695BD94C1F5159A0387FFD645E35AB5189D9A16EF621C7DEBDD96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.851{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B3860763D3849CFC78AFE05558785F,SHA256=53F4B27F7384D52232A0431BE8B897093E33370E277917C5A8C3C1F7AF78A2F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132718534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.820{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000132718533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.820{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000132718532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.820{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000132718531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.820{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9C742E261FE648E466C259B0CFB5F73,SHA256=CB9909FE8EC5CD65BE7A6F00F4477D52C6A945F4F87BD2A4352F784B2EFE4A6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.726{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7E21A39A6560F6AF0472C89649E2DF6,SHA256=2C7CE331CC72F843DB8DF70DC2155AB62340A7FD7858BB36C20BB032CD7E30CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132718529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.679{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000132718528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.679{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000132718527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.679{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000132718526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.679{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000132718525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.664{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000132718524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.664{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000132718523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.664{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000132718522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.664{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000132718521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.664{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000132718520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.664{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000132718519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.664{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000132718518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.664{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000132718517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.664{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000132718516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.664{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000132718515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.664{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000132718514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.664{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000132718513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.664{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132718512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.664{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000132718511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.664{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000132718510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.664{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000132718509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.664{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000132718508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.664{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000132718507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.664{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000132718506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.664{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000132718505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.664{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000132718504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.664{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000132718503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.648{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000132718502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.648{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000132718501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.648{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000132718500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.648{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000132718499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.648{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000132718498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.648{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000132718497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.648{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000132718496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.648{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000132718495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.648{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000132718494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.648{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000132718493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.648{3BF36828-8530-61B1-3C00-00000000CE01}36683688C:\Windows\system32\conhost.exe{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132718492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.648{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000132718491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.648{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000132718490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.648{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132718489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.648{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x8000000000000000132718488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.648{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.648{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.648{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.648{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.648{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.648{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.648{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.648{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.648{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.648{3BF36828-851C-61B1-0500-00000000CE01}412408C:\Windows\system32\csrss.exe{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000132718478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.648{3BF36828-852F-61B1-3500-00000000CE01}25683752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000132718477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.642{3BF36828-52AE-61BA-5309-01000000CE01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-851D-61B1-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000132718476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.632{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32A9A18283655D8D6C572B567BEC5099,SHA256=DD0B17A495F827E150D62EECB2A8F9E0250008A28E23261EF91B632958B12528,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.539{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16AE5328A46FB35EE7697B5D8F5899CD,SHA256=91794295B33825FCF734675627755DA04BEA2DE6E4816AA3080F94DBB5A8F1A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.460{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FCD1985D06BEEC8F0B8CE6431A90B7CA,SHA256=A33C2333CD382B711A4DA761C2E3B854D45DB137926CF75D81ABE5D5FC966CF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.460{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE4DFFDD031A483543EE8F4FAE6D6EBF,SHA256=9810C08E7A601777E41BF8F8D0333B7F86628375D94A28B83AA6E9BE12EF11E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.367{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB334B54AD8BC83FFFFC3F8DF07E3B24,SHA256=E5EFC000B726DD0FFA64ED7C577EC37E703D97ECC56546F50CC062F325907CDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.288{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88694265E85EFD04581A23F8E738DAA3,SHA256=211E02D037FAEFF2FAA010032BF20458EABFC50ECC3F4DF8BA34C00524A86B98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132718470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.257{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000132718469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.257{3BF36828-52AE-61BA-5209-01000000CE01}52082628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132718468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.242{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000132718467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.242{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000132718466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.117{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000132718465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.101{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000132718464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.101{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000132718463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.101{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000132718462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.101{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000132718461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.101{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000132718460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.101{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000132718459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.101{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000132718458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.101{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000132718457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000132718456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000132718455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000132718454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000132718453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000132718452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132718451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000132718450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000132718449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000132718448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000132718447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000132718446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000132718445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000132718444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000132718443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000132718442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000132718441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000132718440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000132718439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000132718438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000132718437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000132718436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000132718435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000132718434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000132718433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000132718432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000132718431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000132718430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-8530-61B1-3C00-00000000CE01}36683688C:\Windows\system32\conhost.exe{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132718429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000132718428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000132718427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000132718426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132718424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x8000000000000000132718423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-851C-61B1-0500-00000000CE01}412528C:\Windows\system32\csrss.exe{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000132718415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.085{3BF36828-852F-61B1-3500-00000000CE01}25683752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000132718414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.075{3BF36828-52AE-61BA-5209-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-851D-61B1-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000132718413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.070{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C96A032304282FBAFAFBB58AFE4A38E,SHA256=60D62C954C79605A86DDA5D10EF3F961BF644F5B78955515F707A538EC443707,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:14.007{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47AF6C8BBE38989F72F26866269E1458,SHA256=AE408409EF8408927A01E576143F8B5FB9D197054901DF247036FF62E0DC0E33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847254Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:15.203{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD135D528937909AF97A135541F078B3,SHA256=12C274E5593C850072F465F45354B02BE4ECD765C76FA1664693E629EAF72F09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132718659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.992{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000132718658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.992{3BF36828-52AF-61BA-5509-01000000CE01}48281044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132718657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.992{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000132718656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.992{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000132718655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.788{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000132718654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.788{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000132718653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.788{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000132718652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.788{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000132718651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.788{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000132718650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.788{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000132718649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000132718648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000132718647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000132718646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000132718645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000132718644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000132718643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000132718642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000132718641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132718640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000132718639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000132718638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000132718637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000132718636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000132718635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000132718634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000132718633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000132718632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000132718631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000132718630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000132718629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000132718628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000132718627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000132718626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000132718625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000132718624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000132718623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000132718622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000132718621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000132718620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-8530-61B1-3C00-00000000CE01}36683688C:\Windows\system32\conhost.exe{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132718619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000132718618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000132718617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132718616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000132718615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132718613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000132718612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.773{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.757{3BF36828-851C-61B1-0500-00000000CE01}412408C:\Windows\system32\csrss.exe{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000132718605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.757{3BF36828-852F-61B1-3500-00000000CE01}25683752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000132718604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.747{3BF36828-52AF-61BA-5509-01000000CE01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-851D-61B1-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000132718603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.742{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26944C0227CFAAA86EB8F0F01FD6FF99,SHA256=D9D538A1109D530956F11B0A1FEB1679536334C97F4B7E8584B107723EEBF9F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.648{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45BB1D727AE111FAA3770C03DF5AB278,SHA256=9550D40C93C348600CF3C61FAB83D6C0F893A048B6D924C1E40CCF994EA3AABC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.492{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61E6096BD4CB7BD65E82227F368F6E2B,SHA256=880097A253B4EABB4C9EC720CC42AADA1DC92928408AB80252175E54B1D682F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.492{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BD573175DAFFAB1908D7E1A7B9414F8,SHA256=83E39681691B6E870153F0B0B29BAD0D9CF2C0722F9B78631A51FC0871FB44BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.429{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5328B55582167DA36A04A611AE01CA5E,SHA256=E37D3D28C8ECAC06E8C07ECC6601689AE501CE56D4B66E03613AFDE16ABFAC6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000132718598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.413{3BF36828-52AF-61BA-5409-01000000CE01}44485144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132718597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.413{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000132718596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.413{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000132718595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.335{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DC2E694FB19A3606AE8CD929F6D96C0,SHA256=9C26F82339C80A29C1A67D39F9521FC402EDCF5525EE592AED5E3D11776C9C9E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.242{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F3178559BBB8B1B0C31BA82831BA036,SHA256=07182C4F582F45ECA93E0EA9A2290442234F5B3988CD7B85DBEAA6FA41B30963,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.242{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=193C98A493B3C5E77975D177A6F8CE78,SHA256=DEF9A6E069F35F30EE0A261B805FA5C2D3C53BB7EE6D559CB064AB7732D8F270,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132718592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.195{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000132718591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.195{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000132718590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.195{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000132718589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.195{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000132718588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.195{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000132718587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.195{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000132718586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.195{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000132718585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.195{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000132718584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.195{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000132718583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.179{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000132718582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.179{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000132718581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.179{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000132718580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.179{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000132718579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.179{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000132718578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.179{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000132718577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.179{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000132718576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.179{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000132718575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.179{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000132718574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.179{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000132718573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.179{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000132718572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.179{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000132718571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.179{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000132718570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.179{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000132718569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.179{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000132718568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.179{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000132718567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.179{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000132718566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.179{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000132718565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.179{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000132718564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.179{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000132718563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.179{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000132718562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.163{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000132718561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.163{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000132718560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.163{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000132718559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.163{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000132718558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.163{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132718557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.163{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000132718556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.163{3BF36828-8530-61B1-3C00-00000000CE01}36683688C:\Windows\system32\conhost.exe{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132718555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.163{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000132718554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.163{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000132718553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.163{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132718552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.163{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x8000000000000000132718551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.163{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.163{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.163{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.163{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.163{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.163{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.163{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.163{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.163{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.163{3BF36828-851C-61B1-0500-00000000CE01}412528C:\Windows\system32\csrss.exe{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000132718541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.163{3BF36828-852F-61B1-3500-00000000CE01}25683752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000132718540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.156{3BF36828-52AF-61BA-5409-01000000CE01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-851D-61B1-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000132718539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.148{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5FD5AC51EDCAEF6C5F9E2D9AC42B7E17,SHA256=560BD715DDEA760EF31D97A7B852836CF59D69459EB5D86F74997BFE0C82B77F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:15.054{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=821F35A75EAAF298D8BCD4EAD215E9BD,SHA256=414ECC4E69A33C4B13686BCA7D5DB9A63D1750F93BBA873E491B1044863B73FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132718757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.992{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000132718756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.992{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000132718755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.992{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000132718754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.992{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000132718753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.992{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000132718752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.992{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000132718751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.992{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000132718750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.992{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000132718749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.992{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000132718748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.992{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000132718747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.976{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000132718746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.976{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132718745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.976{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000132718744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.976{3BF36828-8530-61B1-3C00-00000000CE01}36683688C:\Windows\system32\conhost.exe{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132718743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.976{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000132718742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.976{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000132718741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.976{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132718740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.976{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x8000000000000000132718739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.976{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.976{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.976{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.976{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.976{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.976{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.976{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.976{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.976{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.976{3BF36828-851C-61B1-0500-00000000CE01}4123064C:\Windows\system32\csrss.exe{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000132718729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.976{3BF36828-852F-61B1-3500-00000000CE01}25683752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000132718728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.961{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-851D-61B1-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000132718727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.570{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB43F667A0E25131F6D856881A540C68,SHA256=908C95F3A78F89BED8847E9E9378DFE680EE821F22500533AAB0B6A55143E138,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.570{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C32ABF93708CDB3AB42BA558FC747918,SHA256=8D2A07D5D00D201DDF180394EA6C96354695041B566BE885DA45CA17E576116D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847255Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:16.234{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=653C45FF47DB8C37D3E66F02EE8E75FA,SHA256=DB6C8EF665614CB85058214D2E0E185F96671A649084E955D656547E9F9857FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132718725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.445{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000132718724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.445{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000132718723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.445{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000132718722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.429{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=424CE256784CA6030516C8447E3B3214,SHA256=35BF6C0E897D3399FDD69DC9EEE6E5DFB77010A6328C32172227E170377EB86D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.335{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C23048702C875DC5ED9C21CE50AD2AD,SHA256=CB7E41CD5F1A2284340B2075B8D57488444865048274B43D278CB08ADD183940,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.335{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78915F41BF5E7D5067F57CF8C5340B18,SHA256=2746C7442FA2560AAF67B7D969E47CC13FBF5B29A61AD0279875BD7DBF9E5A6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132718719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.304{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000132718718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.304{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000132718717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.304{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000132718716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.304{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000132718715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.304{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000132718714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.304{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000132718713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.304{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000132718712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.304{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000132718711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.304{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000132718710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.304{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000132718709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.304{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000132718708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000132718707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000132718706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000132718705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000132718704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000132718703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000132718702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000132718701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000132718700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000132718699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000132718698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000132718697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000132718696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000132718695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132718694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000132718693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000132718692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000132718691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000132718690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000132718689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000132718688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000132718687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000132718686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000132718685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000132718684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000132718683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000132718682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000132718681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000132718680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000132718679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-8530-61B1-3C00-00000000CE01}36683688C:\Windows\system32\conhost.exe{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132718678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000132718677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000132718676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132718675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x8000000000000000132718674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-851C-61B1-0500-00000000CE01}412428C:\Windows\system32\csrss.exe{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000132718664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.289{3BF36828-852F-61B1-3500-00000000CE01}25683752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000132718663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.275{3BF36828-52B0-61BA-5609-01000000CE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-851D-61B1-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000132718662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.257{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23B669D0E056704026E0B8703545FE1E,SHA256=647BBB0823B85223324509E04DC15E31D19D55EDDE31CE2120CD5FAB72C4FAB8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.242{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4694D370BD3012D20E10AC6E6560E470,SHA256=0C9DDAB3B59D30AFCA4C8AF9A32A16B9525837D030E2EB9C414E51750770731E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.101{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62298905A3F6A20DFFA75DC887D7A314,SHA256=2D53A49D87FA246DB3EB61EC042265C449A82E9CD573500F41D755352F0CF5ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064847257Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:16.013{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52860-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000064847256Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:17.282{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E012D3AC01584992402A3F45CCCED80,SHA256=C7CBCDAE9B77C5B2F5A7203F3FCEE4B19D45FF89A94BEC9D5FBAA65761A48483,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:17.976{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=340051A005647C06C3AB1CFEA2DD3999,SHA256=69A9D370E897FE7FC5D6DB74B3B1DC9FC8FBAE8D8140A78F0AA5FF5DA50E08E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:17.882{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DAFB26CD2172A92CD1F8C45A86F1CC4,SHA256=CF42F92F0D57B77801C6B1A199B8A30EAF61BDE246DA51895A5A51E841F2F6F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:17.804{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E92D8C20B85971F76892739B4621EA77,SHA256=011FD83F8C613CB7AAA968A4969984BCEE97B5E5FBF09B6659F14AA5B5447E5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:17.804{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4719FFACCBE65B5EAE120B2D0BE1A4F,SHA256=7F5CFDB4C362EA7CE90D6D267DB7DBDDD7A6DE707FEC91A8813E3E7BBB027962,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:17.742{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2C72A73CCB53747F31F6F6316685FD3,SHA256=86AD2008DD690B93D018702E8D61B5DD1AD9A4EC1D6022F3E5D78ED7298FA4FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:17.710{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E071991FEDD6BED0961BBDE73BBD73AB,SHA256=C080D0F3F8DFD4FCA135F6CFC3E0C2D3083454BC8581BDBB7AAE4A61D37364EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132718783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:17.179{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000132718782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:17.179{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000132718781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:17.179{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000132718780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:17.007{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000132718779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:17.007{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000132718778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:17.007{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000132718777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:17.007{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000132718776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:17.007{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000132718775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:17.007{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000132718774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:17.007{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000132718773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.992{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000132718772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.992{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000132718771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.992{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000132718770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.992{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000132718769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.992{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000132718768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.992{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000132718767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.992{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000132718766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.992{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000132718765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.992{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x8000000000000000132718764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.992{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000132718763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.992{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000132718762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.992{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000132718761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.992{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000132718760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.992{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000132718759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.992{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000132718758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:16.992{3BF36828-52B0-61BA-5709-01000000CE01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 23542300x800000000000000064847258Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:18.519{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4911141B6612FF0F59C798D41BCFCFE0,SHA256=22313B42F00923EECE6DFBC4BC341548D38C232840B29E96C48CF31AE57A36EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:18.882{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC625C71ED411C756A04D2D8C0E7193C,SHA256=9A496322E2EBF23C924B3E27DC74769830EC439A7E1614FB29FF35B68924F9C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:18.882{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3D2A29C0A130F0F12865E427FA26B74,SHA256=49ABB1AEED9C80A5A104A1986D51CE1C7F080977438A4BA62CF4D596299E704E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:18.257{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=340754C2EF6C40CB3621C2A825FFF35E,SHA256=E0DD78192FC71C5B1CC50F5D349EDAAD80FBC7C428C66585D3641F29DB2AC73E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:18.164{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E45C670A0BBB19374A10A6A18A5558F2,SHA256=A711A0747DE960CF2B9EA0336024B8C50697CA66804AC6159D4A32312685A7AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:18.070{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4246E97EA07160687741129C4E0F7CA2,SHA256=F87051EFED2C160201D92ACD3608B31E32B609BD5D49BCB26F02EA4218EF442C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:19.914{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEC6963E34197A63E764103A5E28FE6C,SHA256=66C3302265270CACA9BDF6E725CF8166B017B42E1878DE38AB30168C1367505D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847259Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:19.598{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C552BAC259CAE18B31D8092B2A184112,SHA256=A0F671B4CA8F0233717B1B426301373F8AFDB3ED97C6B30002722C20FD7CC901,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132718797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:02.356{3BF36828-851C-61B1-0B00-00000000CE01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local60054-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000132718796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:02.356{3BF36828-852F-61B1-3400-00000000CE01}2388C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local60054-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000132718795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:01.246{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60053-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000064847260Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:20.667{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55533AF4F94AA050B5A0A30D7213E8A4,SHA256=DBE93E796E2EB06F48B71914B3DFCF04BF78A55525B374963360CE01DFB7AACB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000132718819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:20.632{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-851F-61B1-1400-00000000CE01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:20.632{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-851F-61B1-1400-00000000CE01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:20.632{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-851F-61B1-1400-00000000CE01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:20.632{3BF36828-851C-61B1-0B00-00000000CE01}628836C:\Windows\system32\lsass.exe{3BF36828-851A-61B1-0100-00000000CE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000132718815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:20.585{3BF36828-852F-61B1-3500-00000000CE01}2568NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000132718814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:20.523{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-851F-61B1-1400-00000000CE01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:20.523{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-851F-61B1-1400-00000000CE01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:20.523{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-851F-61B1-1400-00000000CE01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:20.523{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-851F-61B1-1400-00000000CE01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:20.523{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-851F-61B1-1400-00000000CE01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:20.523{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-851F-61B1-1400-00000000CE01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:20.523{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-851F-61B1-1400-00000000CE01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:20.523{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-851F-61B1-1400-00000000CE01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:20.523{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-851F-61B1-1400-00000000CE01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:20.523{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-851F-61B1-1400-00000000CE01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:20.523{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-851F-61B1-1400-00000000CE01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:20.523{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-851F-61B1-1400-00000000CE01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:20.523{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-851F-61B1-1400-00000000CE01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:20.523{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-851F-61B1-1400-00000000CE01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:20.523{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-851F-61B1-1400-00000000CE01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000132718799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:20.023{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83C49065D81AAFEBE6BAE97A03239B26,SHA256=D85A4DB7D595D9F23EFE58B3E8532AF733F628BCCF627404C1C7B7527D9C426A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847261Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:21.718{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9941C8C74FCCBD6FD29A6A4D041E02AC,SHA256=F651791D7954B3A5D122F0691C7E1ECE2AA4AD7FE7741B48DE04B7C6F1A59A03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132718825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:04.589{3BF36828-851C-61B1-0B00-00000000CE01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-128.attackrange.local60056-false10.0.1.14win-dc-128.attackrange.local389ldap 354300x8000000000000000132718824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:04.589{3BF36828-851F-61B1-1600-00000000CE01}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60056-false10.0.1.14win-dc-128.attackrange.local389ldap 354300x8000000000000000132718823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:04.579{3BF36828-851C-61B1-0B00-00000000CE01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local60055-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x8000000000000000132718822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:04.579{3BF36828-851F-61B1-1600-00000000CE01}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local60055-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 23542300x8000000000000000132718821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:21.164{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E37AEA8D0DA7CAE282D209FA2E3C0E54,SHA256=4856D9DB59788174B55A27A9B248C36AC4CD79AA8A400ACE4C6AEA9EBAB0E02A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:21.007{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DD405EF9584BA7E1C293308FCDC0E1D,SHA256=203C5238219186778C69D0AA144F3EB10485D0B0BF4565C00D8E0B5781E95EE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847262Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:22.798{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CD5B92306D089121B15190090D65EF9,SHA256=5D56FA0F539BA9F952E6C8FF039C3DFFC923DFAA867A32E8DC87649A263C373B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132718830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:04.688{3BF36828-851A-61B1-0100-00000000CE01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local60058-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x8000000000000000132718829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:04.687{3BF36828-851A-61B1-0100-00000000CE01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local60058-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x8000000000000000132718828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:04.621{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60057-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000132718827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:22.304{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=423AAE92B621B2123EF01F753EAC4840,SHA256=0FB31801C3D92DDA316F3EC1B3E75EE7A89C4AC22CF8EF2FCC92D2EE24EE1C14,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:22.023{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1548E32984C2A4DB07FB90C867D8001,SHA256=D8C0517B411E8CF465B83ED82907EDB01FBDEDC9507F30593DF49316F028DD6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847263Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:23.964{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A0BFE997AB77D2D01E5FFD3ECB37856,SHA256=699084DDAD55263BAF2EB0FB31D99C1888EA9274DDAF7CD3FC22F46546C42099,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132718833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:06.309{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60060-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132718832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:23.445{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACBD874A94021DA7AB8C60B471AC3FDA,SHA256=5D7CE88C8F77F8BA69FD9516A464DD858A6BD862DE71F7E38132DB98E6C9515E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:23.132{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4242D7C44D5A4E2C584FA92E190C5F3,SHA256=6244E93EEF2B510F2ED8586C3EA9667B7EE9EB765598E32D47703C4E07596BA2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:24.585{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66EF207BD238C19587A2C1B466E55444,SHA256=EEA7DDBED51B8EF513E466050B582261EF0C7BEFFFE5E30920581EC944741A63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:24.148{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A27D97542E44EAD25953F087B13C8661,SHA256=58B1584EED7AA5ACAD5DF1D82B08101B503C1FACF8C07C53CAEC6E343C7B17A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847288Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:24.916{B81B27B7-52B8-61BA-5007-00000000CD01}6020NT AUTHORITY\SYSTEMC:\Windows\System32\sihclient.exeC:\Windows\Logs\SIH\SIH.20190911.053654.778.1.etlMD5=C91A6C8A0BD22EA05D5D9D90F62F9393,SHA256=C9A4A2C27BFE53EDBF6EF3BC8A44C93D7024C2F51088636C91A82CD2A8D8E2A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064847287Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:24.863{B81B27B7-1E7A-61BA-1400-00000000CD01}3681340C:\Windows\system32\svchost.exe{B81B27B7-52B8-61BA-5007-00000000CD01}6020C:\Windows\System32\sihclient.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847286Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:24.832{B81B27B7-1E7A-61BA-1400-00000000CD01}3681340C:\Windows\system32\svchost.exe{B81B27B7-52B8-61BA-5007-00000000CD01}6020C:\Windows\System32\sihclient.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847285Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:24.764{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E79-61BA-0B00-00000000CD01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847284Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:24.764{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E79-61BA-0B00-00000000CD01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847283Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:24.764{B81B27B7-1E79-61BA-0B00-00000000CD01}6366864C:\Windows\system32\lsass.exe{B81B27B7-1E79-61BA-0A00-00000000CD01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847282Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:24.764{B81B27B7-1E79-61BA-0B00-00000000CD01}6366864C:\Windows\system32\lsass.exe{B81B27B7-52B8-61BA-5007-00000000CD01}6020C:\Windows\System32\sihclient.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847281Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:24.764{B81B27B7-1E79-61BA-0B00-00000000CD01}6366864C:\Windows\system32\lsass.exe{B81B27B7-52B8-61BA-5007-00000000CD01}6020C:\Windows\System32\sihclient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847280Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:24.732{B81B27B7-1E7A-61BA-1400-00000000CD01}3681340C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847279Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:24.732{B81B27B7-52B8-61BA-5107-00000000CD01}50001236C:\Windows\system32\conhost.exe{B81B27B7-52B8-61BA-5007-00000000CD01}6020C:\Windows\System32\sihclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847278Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:24.717{B81B27B7-1E79-61BA-0500-00000000CD01}412536C:\Windows\system32\csrss.exe{B81B27B7-52B8-61BA-5107-00000000CD01}5000C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064847277Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:24.717{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847276Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:24.717{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847275Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:24.717{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847274Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:24.717{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847273Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:24.717{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847272Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:24.717{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847271Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:24.717{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847270Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:24.717{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847269Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:24.717{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847268Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:24.717{B81B27B7-1E79-61BA-0500-00000000CD01}412972C:\Windows\system32\csrss.exe{B81B27B7-52B8-61BA-5007-00000000CD01}6020C:\Windows\System32\sihclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064847267Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:24.717{B81B27B7-1E7A-61BA-1600-00000000CD01}11841768C:\Windows\system32\svchost.exe{B81B27B7-52B8-61BA-5007-00000000CD01}6020C:\Windows\System32\sihclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847266Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:24.717{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847265Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:24.717{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000064847264Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:22.028{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52861-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000064847293Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:25.902{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FE25D802860BB3FE0C376FBA84D253E,SHA256=19995A3FA491D64CD8003A7B96E0990B970C28FE0E6D48B12F77007FA160450C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847292Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:25.899{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=745A625349222092DEB6C614ADA27C3D,SHA256=A1F444956DE36F379CAF1311E0F5E6111E74242B9C6CD8C7FE9827E8574A1F13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847291Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:25.778{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=64D43679660D97FC94DC4A09E1446230,SHA256=AFFA2C74E08523B2A135BFB54FD9213C5D30F302C4B83C8B857E469457DDC1F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847290Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:25.778{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=EDC0ADDC3C807E97B0FCF6DB590CA6B5,SHA256=CE7418B35451C1B55D145ECF643E831D755F372CD9C852A54E4106BA0686CC21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847289Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:25.216{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FB76395319743E80E2A66B28A7FD105,SHA256=AD4785E5AAB30D6822BEC33145171E3C2EA3D110BC8CBE189A93377C05B0D69C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:25.835{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E19CD4DE75D16467845644562F4775F,SHA256=31056F5485D54383A4F41DD42B4167AF87DAAD5342D1C3C6E2D6C4709E3FD0C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:25.164{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F10033C1FF54CCC8E30CC4F30333436E,SHA256=4055B217BAEEDAD55F0BFA037D292C601EE3D9ECA6872D085E22D361C2CD9B44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847295Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:26.265{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1240AEE0FCFAC84F9066C0D7DC73B92E,SHA256=34FF8F25E9CF21799DD3FC4FBBE657CE46DEC6442EB5B0EA3C99FEDB27B4681A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132718839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:08.824{3BF36828-852F-61B1-2E00-00000000CE01}3040C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal54703- 23542300x8000000000000000132718838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:26.179{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EEF5A11A95AE52C26AC16EA3C7BB0FF,SHA256=E38C4B35CA6A56F61516D3835719DD1CC950825A5E5CABABB56DCF7B17DFA457,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064847294Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:24.572{00000000-0000-0000-0000-000000000000}6020<unknown process>-tcptruefalse10.0.1.15win-host-987.attackrange.local52862-false40.125.122.176-443https 23542300x800000000000000064847296Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:27.332{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=064AD6BA75FD62036FE3975FFCA66F95,SHA256=C56BCB8D550FCC8E30546C4F9634ECAC11921F2D88775887490B63CE75E1DE09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132718843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:08.826{3BF36828-852F-61B1-2E00-00000000CE01}3040C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal49163- 354300x8000000000000000132718842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:08.825{3BF36828-852F-61B1-2E00-00000000CE01}3040C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal52376- 23542300x8000000000000000132718841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:27.335{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CC36A22C1D4111EBB650E8D8FA70680,SHA256=CC49035A4C36B49535CE57C1B536EFE06C05F5CC98A96A20507ECECCA9694152,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:27.335{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75CB223EBE1BFCBE20DCA1AE292A95B7,SHA256=73DB39BE2245ABB9E6A52C05EFB3C80DEE58BE2FAE8013F365DA2041F609B91D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847297Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:28.396{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D27949AA01265D87BC7EA3FB00E7A9A,SHA256=D21FD85DBDAD1D22066C4BB28CA4A73F6FD6BE426A7E32EB8EB11EBDFD10A846,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:28.476{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76C657628DAE54FA1ADCDBB04D3A6A9C,SHA256=5E4CE1A3F889016BC70351454E4B6895F1638B0F34A9797FAC884F9EAB6BFEDC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:28.335{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1455ED764002041916DCA12D1685FCA7,SHA256=8A3F342727341D5462A3E998503D413BAADB594487CA07E58C14B9946262D251,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847299Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:29.415{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=322A41550BF2CD644D9AAA41C65A63A2,SHA256=872744ED2CB62E3020C8261F8DE35B254F297AEDF65548947293720158054F25,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:29.730{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46E4341D63D160B8A296C2E93BC420D7,SHA256=98C64B6D36E5EAFEA8E380A203BF36E0EB4501AA05DFCA5D156B1797EB7DF80E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:29.351{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFB761E86B1CFD2D5BE14D8698BDAE23,SHA256=E677B6EC2898C6239658CB18E582AB55202D679A6C683D8EF85C65D367011031,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064847298Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:27.895{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52863-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000132718850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:12.059{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60061-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132718849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:30.933{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBDA1CA87A3583BFE4A0E744AEB959D4,SHA256=D16FAB4986FEE92F59066B090BD52FAF87C77254661917FFE28C2E2D92577354,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:30.355{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83A7A062579242C9ECEFD3478134D441,SHA256=8918086ACA2B5E30D1470A8D4879722B284BC3241EC0DAA73B2D2D558E43F507,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847300Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:30.476{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9612A85905BB014467C1DEBC5390F77A,SHA256=29BB4628B06E77771841AAB796A7F168708A01FDC7DB46871EA4AF70EA3E5E9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847301Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:31.575{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B6214EA5E318EE4A4C8505D09A468EB,SHA256=90DA4BB8DA6CDFA5A9934668B6A96F5F5C93D5E4D1A62A01E3190FDD88A16F53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:31.419{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=777ACF5A96C477F4B6F09EC62AEA8318,SHA256=F7E6B36199B29852F25375B7BADCF09A5B4800D4E2FF3420D54FBB2C887EA2D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847303Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:32.593{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=814C4CE5896D055A90B94FC4A829B5AF,SHA256=8236A77B2274071111AD8D652FCFEC662F11C9745A09F9220D2A3415DCF6B105,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:32.449{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE8A8C945FA9684926FB3A2CD4E25F30,SHA256=36ED509822E2665CDC988705E64146EEE1676126A96506E3D5856A7D4D34D2D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847302Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:32.559{B81B27B7-1E7A-61BA-1000-00000000CD01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=33160F7724EA015D36B4E9B1EEC5A288,SHA256=985B6F1554A71AAF447FFD94ED1207EA8CDDC2F4844219A764F44CB2C0903CE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:32.074{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A8501CAACC7D96DF8433ED7833D98D3,SHA256=A643FF0633CC5519C5EAD9BCA94617DF7D47C052838D081DC612BD3FDBF055E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847304Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:33.674{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=574EA82771F95B41680E9BCB3A18C215,SHA256=7BF80C928134506618507D918C86F33163BDE1447B39C89C911345EE52019C63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:33.561{3BF36828-851F-61B1-1000-00000000CE01}92NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4E4D6D8FA496F2DB99AC7856A9FE47FF,SHA256=C8E4DD9497C99359C756C4A1A43B7197EA6D071E359B4D710BED75C6131AFF1D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:33.480{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9644F9086FE621A96A6A5CBCD8113FE2,SHA256=8BDCD435B59EA98E5ADB0FC390FFFDE332429A71DB80B2E24B58AE5E8C7EA8A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:33.277{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=713B8C87796A4FF8033BDAB543241ED9,SHA256=32703C007C45AF20A2A50A79C7961E160D3CC575B7F6B00D85551485513BCCAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847307Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:34.691{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1365599ECA2A69BD7311A216A2A8376D,SHA256=1C78EE30BA08F670F44579A50357D37684E0FD033F61C808E3D8CC40E76DAC51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:34.667{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB79DB6E7A1DDE0A1FA1D66CE1FC0CB0,SHA256=1C8307318A912ACCBB620CBD2464A6623245348A3D28ABCBB18627113C02328B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:34.499{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=587E2D84DEB66916A83F22239846AF4A,SHA256=8D21570430363A80298E73B896E9B5106EE2DBB18511FE1C20B8F535074D2471,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064847306Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:32.906{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52864-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000064847305Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:34.093{B81B27B7-1E7B-61BA-2000-00000000CD01}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847309Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:35.709{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71BFB86614E7646BA81EC14BCAB25FF6,SHA256=9B5026DBCF69241D084171AFD82081E1DE1BFB23436A3E01BD3FCC5ED9B6B4A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:35.780{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D92C859CB291890D73F843C67C0667C,SHA256=B4971DA79EA81E4D270B3BF70595F819F7F9FD55562B85DD3A9B466F81281A4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:35.529{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A6995FC2D14A633E8C939057ECC7269,SHA256=6BEDA8F2C6D792589D5DB2A2A684EACFAAC6E46A37C5F9A1B8F17BCB0659B243,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064847308Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:33.853{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52865-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x8000000000000000132718859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:17.094{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60062-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000064847310Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:36.770{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C8EAD8E98333F24E507B722A650BA1E,SHA256=E76177193AFBDD1CB969DB832C09F9E7FE0271BA0BBAC45F4879AEDE652F02A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:36.561{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8736FF0066FC347EF7EF119B68E0DF97,SHA256=CF20F3054C9FA946B8D15F97DDF218ACF80FB04EFE4D8A3C90D48823748DE12C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847311Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:37.787{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDC307803ECD83841874852F3641EC2B,SHA256=59E7E23860553975903705AD133A8B507B3B448664414F68BA08CF6026881171,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:37.562{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD87D35CD7E8F6D7D63D8376A09821B2,SHA256=97C9AD9A0A1BAED6DB654C3CC11078302C1931C02FD46685EF46C928D77859F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:37.017{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB609C3DF464A7E6F45CD6E99E35C6DE,SHA256=C78C130173C74F862DEFFEDBF998EAF844137A080716035588FC5ED058779671,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847313Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:38.937{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AC41D897293F1BD3E7B18B025E92C6A,SHA256=B2ED56BA4722B23E77E76B990F64C9AEF24EB1F03C7FA13A96C10326714B5471,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:38.578{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E05EDACB43E7F2EAF7D8BD561023497,SHA256=B6591B890D7D659040769A1BECEFCB2AE4590B546FE7B8A2A816BAB296268CBE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064847312Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:37.010{B81B27B7-200E-61BA-DB00-00000000CD01}4832C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.15win-host-987.attackrange.local52866-false184.31.16.178a184-31-16-178.deploy.static.akamaitechnologies.com443https 23542300x8000000000000000132718865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:38.062{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7ED8BD77BA3CDC22E6D7B87057CD83CB,SHA256=4D90F9EE81BE349601E1CBE56FC47CDC82E2271E398EF0DB5E1C9E5718D12C3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:39.594{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89D3E287D0884772713BF0E99F948440,SHA256=BC6B1BFD7DCD1A4DE4F60DE17593420AB5EA5E95EAF643C9B71F95F7AA4C5837,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:39.141{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3825CA3579850148D14B8F35C99C5897,SHA256=C864FEA34D2D220EB8B139379CBDC638D2EEDE7E34DC4D2176CCDF1492DDE75F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:40.625{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=923A12409480CD7D3B97DA1836373028,SHA256=C92A09BDEA6DB274237D3EB82D486F6D9C9D0B3C77F3C9F8D6C4DA6EA128ACA3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064847315Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:37.917{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52867-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000064847314Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:40.051{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24921ECE126DA88E246F864FA6AA20B5,SHA256=BBC045459E1BAF98CAE9942C09BC8FA52CB644E6F980E2677A2E8F0AFAA9DD51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:40.328{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D91E06C299D91E46B7AAC3087242A621,SHA256=99DE69C5793040DBB1CB1E1055ABEB5602FC01E1EF2FC3620AE02B6D858BDDD4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132718869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:22.145{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60063-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132718873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:41.797{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14D26DB3A0DB0B979A8CCAB8A4A00799,SHA256=6EAB6FACE0FAEC43BDD6A41817471BF193D37719EFB770AC8B255379B27AE0AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:41.641{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4256C564634962556416CFE1F947CD93,SHA256=0200CFB52A32D3924F2BE7993C86C9A66BB7E8494DCD73D5CFF74F378BEAC019,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847316Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:41.053{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=332207403190E5E6B12ACFB486DE77A7,SHA256=DC9FD82CEACCD957A07252F1005454370F04A0C1215E92A813CA56B865B7774A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:42.672{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0878C498605F8BF27A8D31A2640D4BDB,SHA256=31F591752C438D6C83816022D7FAF93325FDE837F35AD0A912FB243E2F5DAE85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064847344Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:42.904{B81B27B7-1E7C-61BA-3000-00000000CD01}31843208C:\Windows\system32\conhost.exe{B81B27B7-52CA-61BA-5307-00000000CD01}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847343Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:42.904{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847342Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:42.904{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847341Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:42.904{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847340Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:42.904{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847339Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:42.904{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847338Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:42.904{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847337Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:42.904{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847336Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:42.904{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847335Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:42.904{B81B27B7-1E79-61BA-0500-00000000CD01}412972C:\Windows\system32\csrss.exe{B81B27B7-52CA-61BA-5307-00000000CD01}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064847334Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:42.904{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847333Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:42.904{B81B27B7-1E7B-61BA-2000-00000000CD01}11963772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-52CA-61BA-5307-00000000CD01}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000064847332Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:42.905{B81B27B7-52CA-61BA-5307-00000000CD01}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-1E79-61BA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000064847331Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:42.389{B81B27B7-52CA-61BA-5207-00000000CD01}18726812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847330Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:42.236{B81B27B7-1E7C-61BA-3000-00000000CD01}31843208C:\Windows\system32\conhost.exe{B81B27B7-52CA-61BA-5207-00000000CD01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847329Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:42.236{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847328Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:42.236{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847327Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:42.236{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847326Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:42.236{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847325Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:42.236{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847324Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:42.236{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847323Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:42.236{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847322Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:42.236{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847321Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:42.236{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847320Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:42.236{B81B27B7-1E79-61BA-0500-00000000CD01}412428C:\Windows\system32\csrss.exe{B81B27B7-52CA-61BA-5207-00000000CD01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064847319Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:42.236{B81B27B7-1E7B-61BA-2000-00000000CD01}11963772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-52CA-61BA-5207-00000000CD01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000064847318Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:42.237{B81B27B7-52CA-61BA-5207-00000000CD01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-1E79-61BA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000064847317Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:42.085{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA3E4729E08EAA496CE29689580AB2A6,SHA256=7D42B6DCCC9B005A1C7C4C5FE31CE14705FE55034BD2FAA2E0150E08E6355861,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:43.703{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AC340B1F3E60688650A9D5A9D4ED986,SHA256=9171AE64446D81431C47005DC661708330DA10CE8657B3E7CFEF0FA5B0A953A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064847360Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:43.887{B81B27B7-1E7C-61BA-3000-00000000CD01}31843208C:\Windows\system32\conhost.exe{B81B27B7-52CB-61BA-5407-00000000CD01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847359Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:43.884{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847358Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:43.884{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847357Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:43.884{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847356Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:43.884{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847355Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:43.884{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847354Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:43.884{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847353Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:43.884{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847352Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:43.883{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847351Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:43.883{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847350Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:43.883{B81B27B7-1E79-61BA-0500-00000000CD01}412428C:\Windows\system32\csrss.exe{B81B27B7-52CB-61BA-5407-00000000CD01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064847349Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:43.883{B81B27B7-1E7B-61BA-2000-00000000CD01}11963772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-52CB-61BA-5407-00000000CD01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000064847348Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:43.882{B81B27B7-52CB-61BA-5407-00000000CD01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-1E79-61BA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000064847347Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:43.366{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7AD563D17BDE4B5E24DC001F351B2450,SHA256=FDE96880BA20016904D7E4A0F64B6FCD486E42A5556705D0CB1736E8B353CE45,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847346Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:43.366{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FE25D802860BB3FE0C376FBA84D253E,SHA256=19995A3FA491D64CD8003A7B96E0990B970C28FE0E6D48B12F77007FA160450C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847345Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:43.351{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95E440E476FAFB461359EDB615A567B5,SHA256=04B52845AFA805E90BD953BD0417C98C1EAB49D5C3A87BA9B6534F80CBB9479C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:43.062{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F127D81602A3376826D210DCD2EE6BC,SHA256=080CF2FD62CE46DC0BA28959FB5879EC8F30E37DA4094B20AD0AF8C768AB5E76,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:44.734{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE18A78FA0728F7BEFF45469A31355F4,SHA256=2C9CF39724233DE563280B4AC11468EC3B21E608AA12D78C107EB85EEA85AE41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847377Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:44.883{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7AD563D17BDE4B5E24DC001F351B2450,SHA256=FDE96880BA20016904D7E4A0F64B6FCD486E42A5556705D0CB1736E8B353CE45,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064847376Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:44.818{B81B27B7-52CC-61BA-5507-00000000CD01}12926576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000064847375Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:42.999{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52868-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000064847374Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:44.502{B81B27B7-1E7C-61BA-3000-00000000CD01}31843208C:\Windows\system32\conhost.exe{B81B27B7-52CC-61BA-5507-00000000CD01}1292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847373Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:44.502{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847372Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:44.502{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847371Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:44.502{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847370Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:44.502{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847369Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:44.502{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847368Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:44.502{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847367Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:44.502{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847366Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:44.502{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847365Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:44.502{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847364Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:44.502{B81B27B7-1E79-61BA-0500-00000000CD01}412536C:\Windows\system32\csrss.exe{B81B27B7-52CC-61BA-5507-00000000CD01}1292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064847363Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:44.502{B81B27B7-1E7B-61BA-2000-00000000CD01}11963772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-52CC-61BA-5507-00000000CD01}1292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000064847362Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:44.504{B81B27B7-52CC-61BA-5507-00000000CD01}1292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-1E79-61BA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000064847361Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:44.387{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D7CE7434C2E01F64E979E2BE5DB4BBB,SHA256=7773AC579C412683825568E1B1A2D5544E6244AE64332418C05EAFE68B8341B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:44.125{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43C9F2E93F44B58CF9AB96970EFF0822,SHA256=BD949A27C1399B8C5E9585756E332E188268C2F9324A503FB3A7F65B2927B34D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:45.766{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C62A5590DD40A5C615F9D25AFCC810D,SHA256=0B1040DD33D0B488DB0A7595F92D8B1BC526B3EB6E32FECD9C407A61AAC8C547,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847378Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:45.583{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DFE9FB494CDAB96B063295DC067233C,SHA256=46DA4D7133281AA6E6CE3EB5812E2A221C3FD5ADB2AB96F8CCCF3308BA04D8A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:45.453{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A651408C5E85077FD22496B54761225C,SHA256=F299D74AC83D634108E625D5C443124744D328DAD02C00AC7F5BD3E9E063274B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132718879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:27.285{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60064-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132718885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:46.953{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D79BDEA5D5B9002D81F2DC5AB2734DA,SHA256=52D915095FE630E47A809F7BA9A364C6D1B3CBB4735CA448178C47A93D7404BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064847393Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:46.798{B81B27B7-52CE-61BA-5607-00000000CD01}28326636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000064847392Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:46.597{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E3B700A9E671C3B809FF359EA1D1E4,SHA256=0FDCF5B20D9CBEFB54B7660F529D45CABB5404B206EF6DA77B2754A4DD5FA019,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:46.484{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39234F42C696A56D57AAAEFD713A6050,SHA256=1E44B4CFFA9618A4F373C3E0186B86F1D5C8F896FD6550D4DB28FE8E80C488BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132718883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:29.118{3BF36828-851A-61B1-0100-00000000CE01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-128.attackrange.local138netbios-dgm 354300x8000000000000000132718882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:29.118{3BF36828-851A-61B1-0100-00000000CE01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-128.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 10341000x800000000000000064847391Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:46.551{B81B27B7-1E7C-61BA-3000-00000000CD01}31843208C:\Windows\system32\conhost.exe{B81B27B7-52CE-61BA-5607-00000000CD01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847390Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:46.551{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847389Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:46.551{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847388Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:46.551{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847387Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:46.551{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847386Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:46.551{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847385Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:46.551{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847384Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:46.551{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847383Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:46.551{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847382Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:46.551{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847381Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:46.551{B81B27B7-1E79-61BA-0500-00000000CD01}412428C:\Windows\system32\csrss.exe{B81B27B7-52CE-61BA-5607-00000000CD01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064847380Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:46.551{B81B27B7-1E7B-61BA-2000-00000000CD01}11963772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-52CE-61BA-5607-00000000CD01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000064847379Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:46.551{B81B27B7-52CE-61BA-5607-00000000CD01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-1E79-61BA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000064847422Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:47.886{B81B27B7-1E7C-61BA-3000-00000000CD01}31843208C:\Windows\system32\conhost.exe{B81B27B7-52CF-61BA-5807-00000000CD01}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847421Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:47.886{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847420Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:47.886{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847419Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:47.886{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847418Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:47.886{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847417Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:47.886{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847416Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:47.886{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847415Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:47.886{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847414Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:47.886{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847413Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:47.886{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847412Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:47.886{B81B27B7-1E79-61BA-0500-00000000CD01}412972C:\Windows\system32\csrss.exe{B81B27B7-52CF-61BA-5807-00000000CD01}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064847411Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:47.886{B81B27B7-1E7B-61BA-2000-00000000CD01}11963772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-52CF-61BA-5807-00000000CD01}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000064847410Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:47.887{B81B27B7-52CF-61BA-5807-00000000CD01}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-1E79-61BA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000064847409Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:47.617{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A924A20AE080659510D00FFAE38A1451,SHA256=B0FB6775D7015FAEED68A8194F5767FD3CE92B609B2D241292432BB492A67512,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847408Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:47.586{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=858EB8ABBC769FD7941F9A55FA8C7E62,SHA256=F862B20E0F0922F9D5AAF54EE54E08F0D69F4CD1FA3FE838F6473AA6C56971B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064847407Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:47.439{B81B27B7-52CF-61BA-5707-00000000CD01}70885972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847406Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:47.213{B81B27B7-1E7C-61BA-3000-00000000CD01}31843208C:\Windows\system32\conhost.exe{B81B27B7-52CF-61BA-5707-00000000CD01}7088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847405Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:47.213{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847404Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:47.213{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847403Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:47.213{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847402Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:47.213{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847401Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:47.213{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847400Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:47.213{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847399Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:47.213{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847398Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:47.213{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847397Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:47.213{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847396Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:47.213{B81B27B7-1E79-61BA-0500-00000000CD01}412536C:\Windows\system32\csrss.exe{B81B27B7-52CF-61BA-5707-00000000CD01}7088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064847395Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:47.213{B81B27B7-1E7B-61BA-2000-00000000CD01}11963772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-52CF-61BA-5707-00000000CD01}7088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000064847394Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:47.214{B81B27B7-52CF-61BA-5707-00000000CD01}7088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-1E79-61BA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000064847424Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:48.916{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF249FC44BF15866847B501B947C1F90,SHA256=319DCB7FACE775EAFD48E7F72778F593C1CE44A8EDE5FB7121CBA325DDF36521,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847423Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:48.632{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2101801FE73BA675F69219B908F0D0D,SHA256=747CF94A3F31D08E389B50D2E8A09D68C35D0D90B66F1E59AAF0D1BBB01D471E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:48.141{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13405362304005E0FC6A0CC3EDE6538C,SHA256=5D4AC64AD659D5BD6A93F5499FA664353F14A6D622CAC9305F88032D06965D14,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:48.031{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F61D20C984F1E2000AD5757EE9FB5BF3,SHA256=44DC28BD23E999901A48DDA212353EA0235AD39FB60C2451A68CEE00E815E1D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847425Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:49.869{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C38387E92ACA9968E6AF4C99CDB305CD,SHA256=BF415647B211F031716C5ACAFC08DCA1FBD5E652272F64C80BBD5E55E6FCCA1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:49.297{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2F14DF5977E1BC8E4A4B7E79976DDD2,SHA256=6F7F349B8E0149FF04EED76CF1CF1BEBE19783737F8F30CE6F5E8793F2CB38F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:49.109{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D78538E71BBFC10AAA79B35AAA20E49F,SHA256=9AC63316A9F58FF2DDB4D2AC6098AB074674BC78A9993A2327FB509D09A6915F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:50.351{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5489E02DCF0F9D2EF69A7A5246C4BFD,SHA256=8601E1B6D3A628ADF265B87F2AB00FECDE0D46C73F461E44B067F324A9F2B58D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:50.133{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1566943AFED4F47F7CCA05CB83D1972,SHA256=F40A7F3C44B179D5A45346F4B790783CDE9C7A08EF4BD3DEF2B5BD90B915A3F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064847426Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:48.028{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52869-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132718894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:51.570{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58CB5ABC214C88FF11507FA6BB355FF6,SHA256=FB75D7DE4F3C591FF5E9F79F93737D2ADC3A7D75FEEEBCD17E91E373CE3870BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132718893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:33.160{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60065-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132718892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:51.226{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1325AF4C8B2D55EAD6861FB7F92FFD4,SHA256=6290EBBD7A60750CB06EC436C8A7B44CE30E9E885907027D6A8EB7F6E178AF3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847427Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:50.999{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB9CAE130953E3FF3F57C780482A7C07,SHA256=919431BF79DBC741BF824F00BE23F1695C6EA5A561CF64E70822FADAB33AA61E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847428Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:51.999{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E1D75113A7F5FF99EE51E61A1E460D6,SHA256=650FF15300C94789C7ABB15AA56FC49DD9207B85FA7E88C63160279E07E7A66B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:52.726{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=151CB05504EE56177EC6B237298C52F2,SHA256=63BE557781E883F52C316BD72D52A50D9B05B15FA97821057F6CEE3C342F1004,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:52.242{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7F4C46508172ABD7E47DD2C108CF854,SHA256=193F8154ED74E48EADC8D445326668CD646908BFD820FF6997DEBD2FC03C2930,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847429Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:52.999{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=587DBC64DF02037E3E31CF9EF1CE10AC,SHA256=1B5B9292D00BDA616C2D574814C08A57FD81215756BE052E23FE0C114A391A2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:53.742{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20889F6DED145A3A9DAF58F6B7B8444B,SHA256=A17CF3A588255E229119E3062D2871EADCE5C17C57A6276CED826A11F2FCE5AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:53.258{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=980C9E240819B8545D683DE2DC6513C1,SHA256=053A3D44ACABFBA8CAD2D1A7E17C622B9F8B15002CCCD74329477130060EE3D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:54.289{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFB87A402EE44AC3E1C5FC29B68CFA18,SHA256=046C04D7966B631BAD206541C4F74304ADEF73F696A29F3794E7F86F2A35B793,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847430Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:54.114{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73B4A2CBA6D4509D89DA00F1F59A56CB,SHA256=76609094222494C1E317E1DA07A9FD88EE68AA89F7B4CD66199DB15B7988AFD5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132718902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:38.168{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60066-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132718901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:55.508{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A252B48419527B49C6A177C752202E0C,SHA256=FBA5EB782A879EEC9E9F6FA001C6F947934548B0AF07CAC39B2280C214ED0C4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847431Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:55.146{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDBDE2C4A579AD39F8D04BF5D0758BC7,SHA256=7E12B77E6537180148E3E17BD255C82ED6F4BE871631D19465643F3B0077ABC6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:55.492{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46F6D51556F9FAF71658C26C8A6DC61A,SHA256=897EB78331C71FF9E06B7F0AE6C975D879DB604CCD1B53FB0D8A28B57933A067,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:56.664{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49799DD6E73F52C9F0F8701DEC08D730,SHA256=D3D490F6858EBDF817A7C453129F4CFE7775898CBFCDBA25CBC8E5D6111BCCDF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:56.539{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AD4AF854C4B16A47870E412BD83BCE5,SHA256=93D3A7D68922E5C32D68003F27AB10DCBAB71B695F21D2DF98E7C7ED5AC513D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847433Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:56.245{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C16AE834FEC81FDD898E4BF073F098,SHA256=526CEA5D94D27671FF1DEDD70A85C8E7B858F24381E992FBBEA77C6D3436CDB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064847432Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:53.847{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52870-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132718906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:57.695{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1FCCD6CC1E84F8A9938CDD827A3F357,SHA256=6303C8A85CA4BC5C4499D7B8711A3334B6694127DD31C5F63F521B7ADEB12C60,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:57.555{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF8380B20C727E712BE2B066D67B1F51,SHA256=EDFA7D9D8FE5B1C07B92D01822FD68D0B38DE00E3B8F51FE68BD26EE257280E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847434Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:57.280{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2F51425090C21A2E4407D5BFCEDB216,SHA256=B56015503825B0D4F0FDFE085CAAC0FEA9625B0D636CE5A0BED7F1B75B97A141,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847435Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:58.363{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6808370BF0A2EA361C934D2ECB297B18,SHA256=72A6E5AE283D6C2D4D8CE912649948BA98ABD3CE00DC483E017F9BEEAF2EAE5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:58.570{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CBF71A538690292BADD686B3578DB63,SHA256=161490F776FF1C09279E6A90C7162E3C3E29D22AC46CD174379718F3376D8436,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847436Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:59.409{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED1899EE3B97BE3343AC73FD1FD1B41C,SHA256=FFC1F159263908931A2DAB81F66DC35E43214A1D34024B3104267744C979969F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:59.601{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05D695DBCF3CFECEDA6EFB54444C2CB1,SHA256=55C294FBBD2816F3013E95AA748181461043015AE1EBA130D8589DE8408BF4C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:59.008{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=153DE33DC4D182FBC05CEAF0D09A30F9,SHA256=1E81381413545753E520C5BC550B1BC06FCA561E10171F31CB1F2F269CA04982,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847437Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:00.508{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8336F1C4EA043376CD7EF62F49C9E50B,SHA256=B2747FAA319661A494F83D4E3C3B2F9723AEFD12642174ADA1606BF8244C943E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132718912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:43.277{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60067-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132718911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:00.617{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FC70D1FF6B011DB48D3ABBDB81EC7B7,SHA256=35377035915A388FED0B9B84F8FC879F44C9D1602D0871842B1ECDB72132A172,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:00.070{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D17DD4845642CEE092018DD6F59BF6A,SHA256=421D1296FF80345412BCF82FF413C4D0908D7AB435B177AC6672E8D8C7CD3821,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847439Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:01.542{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=969273D8BFD565425CADE060A8F2C90C,SHA256=C97E092152752560E106E9DC9454A055F63E15C4C6871443B9C5F96011DF7141,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:01.680{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CF480AEFA9F11BDB509E363EFEE610D,SHA256=A48CC87735EAF9ED890DA34AF89EA70C85B34579753801262FD780A55FE66345,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064847438Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:40:59.857{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52871-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132718913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:01.383{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE433C503C395029CFFA126252736884,SHA256=06C3107F89981A3A01E82F7343D8CE8D2231C48477480932F06FE2FADEFA107A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:02.696{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F1B6A5CBD5F8F01DA1F2905144F3048,SHA256=CD1CF53EE9DAFDA4651BFB55A4ED80E57D1E6E9987638E4CAF4175301F1BF097,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847440Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:02.562{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23F964041992C9B7D54146D7EC3312AB,SHA256=4FFC9F733198C76F727126C5755CB7D5249D65D6A5F10CC344A21E2C3F5A3AD5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:03.726{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=143D696709C7E4B548A6202455EF83D0,SHA256=1F964B907F12EE5E273469993473F938A1F060C7852C51D7465BC036675FBBD9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847441Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:03.592{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAFDC24AFFF682FDB3231A9C19CD3D7B,SHA256=89436D91774C8652EECE78C1FF2DD2E257930AD89680910A1D183AA1C383A32D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:03.008{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F01C1FCC216F488D78E707BDEFA25AA7,SHA256=3ABFB15CB5983188B4C3EA610DC4D2CFD61CA5F33946A0AFE310C85B1DD1D10F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847442Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:04.739{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C4AC6D614D185E4F61B758730F08D4F,SHA256=B0A2DE22609B16CF126736CE3AC0EA6600C049C4278531A28A96964C8C62279D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:04.758{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C5DB7C3BF0F6FB401C4C1F26613CA0B,SHA256=B177DAF2E86A57E65B3A393BA30FD8E09464667392B319D8F1992DF9281B35C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:04.164{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9DFFDEB4834344B4DCF4AF9081EDE1F,SHA256=E08B18B17C18F05DEC8FFD1CF966BCFC4ACE23C1F180B15DA805346807B477E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847443Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:05.806{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B96BDF243053F9B34F13F9E278E29DB,SHA256=9292EDB42380D1205A11C600F1A286E6B872169F36D536FC6849593BCB919BE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132718923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:48.373{3BF36828-851A-61B1-0100-00000000CE01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local60068-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x8000000000000000132718922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:48.373{3BF36828-851A-61B1-0100-00000000CE01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local60068-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 23542300x8000000000000000132718921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:05.773{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5897FC2EF8925B33DC1955EC43A7BC00,SHA256=39386DAB7E78B4F75E03D4AA80B05E7AAD5228DE8A9BAE691ED470C26F9263B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:05.195{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC4605A8555F1C306E037999E08618BF,SHA256=AA1E118F34BDCEAB65E7BA2959CF211E8919E7936A50D08472C140B375F1E29A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847445Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:06.921{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ECCA6A6C5F94B8BBCC0947373D203CB,SHA256=60FE940B79AB03D85787C92EBEA4F6FF2D5697E9B423E2E673D67156575B07DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132718926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:49.136{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60069-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132718925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:06.820{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D50024C10B1A4D6C43D61352DACFD88A,SHA256=7BE4820FB8AE2EA3B0A73BEA77A0AA8A994786BB3402F09FEA046669840166B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064847444Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:04.919{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52872-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132718924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:06.461{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16DA49591A768F169D69E3D73D0DEF93,SHA256=6753A81F44D871E13859AA5655AC97122DCCB362525058D12E36AE8F87C2B3D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847446Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:07.990{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5CB9EF65AFA0425EBFE6A9F5932C634,SHA256=85186BB7AA2F1F6B2835EB5718BB7DAA2089041AAAF7131BA7E817D5D7AA59CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:07.976{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FCEC779802B67FEDC5F64E51B52E68A3,SHA256=AAB673AAAF6E8D471054316C250FB136F0073BBE264F4F69D2E9976CC92E1259,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:07.836{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B23CDAAF8382F9AE92795695D3EC57B4,SHA256=E6BE309B946CBB3641762065295E50F5C078C4CCE0FFDB07673E8FE25DB90D12,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:08.852{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13EF59623F7F861EF81EC4ACB165C746,SHA256=1BF00D70CCC74951473D8853561122E5B49B7EF5DCDAA9F8D2CE54B908A709CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:09.868{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFA8007C8D90826508854BF5AAB651FD,SHA256=4EF127B3CA7DDA946A2BD966CA5E8980B34A226ADDEF41F5A83C7588F8AF8A95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847447Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:09.043{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8E20DCA1D8E85C8656132739BF98932,SHA256=B3C7128FC87D85B57D3FC21B87291A767B986B6A2897EAEF7A918BCD7E300D17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:09.101{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7EA3DB8B8F7744A8EB8737008BF255A,SHA256=2D519074B1251D83961601768C7AA731D51707F86D427F1D642B3181DFDE9B2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:10.884{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6878F263D52B7BD13C0655ECB66A161E,SHA256=39A2DC93939AD10A92C85E3D64C04696F8AA70091BD80307DF1371B0A4AC410D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847448Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:10.105{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF73CC037B1A77657E40B6071B8A18C,SHA256=D039AB7879015BD6E22A34140DB9BFD71FAE3B04F564CC352B37943233E3CD6A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:10.228{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A2950861CDC4D98D4C76D59A892E341,SHA256=CC0DBC1D328DD5BC5BB0818EA553207A52FE1B46A80112C043BFA19AB538DF1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132718936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:54.216{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60070-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132718935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:11.884{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=942B97A6B90F6E63A22783C8E0DECDDB,SHA256=1A63B993963D575452FC7A496F7F3B2F346F7B0390530F10E6BB83272D959409,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064847450Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:09.938{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52873-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000064847449Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:11.240{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3D405644C99266C2EEE891CBE02F6AC,SHA256=4CBB6542B7F4516F87E7E54E512999F29B0729AF4A9AD8D14A70C63C1D41719E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:11.415{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=704C374EFC30427DB8B88F30FDA44C3F,SHA256=5360311301371A5F04728BE42E1B22941C1FEB497CCD89A516D9F93B1F15E4E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:12.962{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E84ABD8DFDF4DFEB21821F472911752,SHA256=311BD280F445C6B5C4E023167B3511C5FA7DE16F8FC2F36EAFE4AE91FD99FB58,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847451Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:12.272{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C57FA51BBFA69296C32B87129336A5D,SHA256=653FA23BACB64B11CE0401C7FA5C8182DFC3DC1B60AD6D939576F97A6FFC707E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132718937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:12.806{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E418A908C5F8700AE3D390149104865B,SHA256=3DB384FFC0D919A8E64CB3116DE85972BBF7DF2E80830037BC978B9A80FB8B5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847452Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:13.302{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C026189DB5AF189767E93CA84EF16925,SHA256=038660EC16DECB427A6253949D885368E2E2CF4FDBB6427E15236403654594C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132718994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.681{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000132718993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.681{3BF36828-52E9-61BA-5809-01000000CE01}5123196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132718992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.681{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000132718991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.681{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000132718990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.509{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000132718989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.509{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000132718988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.509{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000132718987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.509{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000132718986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.509{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000132718985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.509{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000132718984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.509{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000132718983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.509{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000132718982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.493{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000132718981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.493{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000132718980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.493{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000132718979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.493{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000132718978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.493{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000132718977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.493{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000132718976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.493{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000132718975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.493{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132718974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.493{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000132718973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.493{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000132718972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.493{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000132718971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.493{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000132718970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.493{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000132718969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.493{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000132718968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.493{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000132718967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.493{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000132718966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.493{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000132718965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.493{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000132718964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.493{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000132718963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.493{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000132718962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.493{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000132718961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.493{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000132718960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.493{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000132718959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.493{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000132718958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.493{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000132718957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.493{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000132718956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.493{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000132718955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.478{3BF36828-8530-61B1-3C00-00000000CE01}36683688C:\Windows\system32\conhost.exe{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132718954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.478{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000132718953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.478{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000132718952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.478{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132718951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.478{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000132718950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.478{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.478{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.478{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.478{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.478{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.478{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.478{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.478{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.478{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.478{3BF36828-851C-61B1-0500-00000000CE01}412408C:\Windows\system32\csrss.exe{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000132718940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.478{3BF36828-852F-61B1-3500-00000000CE01}25683752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000132718939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:13.463{3BF36828-52E9-61BA-5809-01000000CE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-851D-61B1-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000064847453Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:14.317{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA37E1FC181C5F73F3A4F8DD54A8CC79,SHA256=6CC5B8C895B86CC805084C4DA02BB2A6B26ABF12E39EBE8AC4ABA882C020DCEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132719108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.868{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000132719107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.868{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000132719106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.868{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000132719105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.868{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000132719104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.868{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000132719103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.868{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000132719102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.868{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000132719101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.868{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000132719100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000132719099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000132719098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000132719097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000132719096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000132719095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000132719094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000132719093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000132719092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000132719091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132719090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000132719089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000132719088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000132719087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000132719086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000132719085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000132719084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000132719083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000132719082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000132719081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000132719080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000132719079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000132719078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000132719077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000132719076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000132719075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000132719074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 10341000x8000000000000000132719073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-8530-61B1-3C00-00000000CE01}36683688C:\Windows\system32\conhost.exe{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132719072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000132719071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000132719070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000132719069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132719068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000132719067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-851C-61B1-0500-00000000CE01}412408C:\Windows\system32\csrss.exe{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000132719058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.853{3BF36828-852F-61B1-3500-00000000CE01}25683752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000132719057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.838{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-851D-61B1-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000132719056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.572{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0CC40BF6ABC8850DBC9FCA9BA3B57A2,SHA256=B2FFE184CA192EC257E2C337C67AA72DFEB485DB12369EE25F4CAADC248579DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.509{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CCCA16316538722B4C303F94704D9CA,SHA256=DA57A6FF003250CA98995061CBDBEE3CC393573DEAAA42506BD2335066DCC3B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.447{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CCFBA9A8ABECA7C2A6CDC8883ED056F,SHA256=3C911A14B357FE54B233E1DF8B5963C31CB02DAB5844651B9F31EA38C62C70EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132719053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.322{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000132719052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.322{3BF36828-52EA-61BA-5909-01000000CE01}8564280C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132719051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.306{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000132719050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.306{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000132719049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.243{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BEFEE4E8DF4B829171FE84B32A5024B,SHA256=1081516CBCD6F71695A9D7D41C22DDB1240B385DA8746FDFCEDC47F447CA609E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.243{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA9E66ACAA7BDC663DDB151202A4C41C,SHA256=D0B1BD4664BD1DE4B57DB7F8B17C90F0EC4E177388DF7BF7E0D2A48C6F006307,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132719047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.181{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000132719046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.181{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000132719045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.181{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000132719044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.181{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000132719043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.181{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000132719042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.181{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000132719041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.181{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000132719040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.181{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000132719039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000132719038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000132719037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000132719036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000132719035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000132719034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000132719033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000132719032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132719031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000132719030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000132719029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000132719028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000132719027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000132719026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000132719025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000132719024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000132719023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000132719022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000132719021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000132719020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000132719019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000132719018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000132719017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000132719016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000132719015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000132719014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000132719013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000132719012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000132719011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-8530-61B1-3C00-00000000CE01}36683688C:\Windows\system32\conhost.exe{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132719010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000132719009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000132719008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000132719007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132719006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x8000000000000000132719005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132718997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-851C-61B1-0500-00000000CE01}412428C:\Windows\system32\csrss.exe{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000132718996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.165{3BF36828-852F-61B1-3500-00000000CE01}25683752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000132718995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:14.150{3BF36828-52EA-61BA-5909-01000000CE01}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-851D-61B1-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000064847454Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:15.434{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=269EA3655AB61416C00C732A1EFB1564,SHA256=5DF6F3D9DB45AD525B96ADC8B6D541F22A3005D3493824F66616464F1D1138FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.993{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E2799103A804ECC87127CC518678670,SHA256=FA93EAE468AB552F711AE706819DFCF6D1304024424384D0A08280A74767F399,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.931{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD87C4443CE8C5533FDEA622F81E17AB,SHA256=4A034F13E313276E688618FDD75E975A0241BDD4898266E10032C10B5B72700B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132719234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.900{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000132719233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.900{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000132719232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.900{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000132719231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.900{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000132719230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.900{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000132719229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.900{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000132719228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.900{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000132719227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.900{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000132719226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000132719225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000132719224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000132719223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000132719222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000132719221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000132719220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000132719219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000132719218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000132719217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000132719216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000132719215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000132719214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000132719213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000132719212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000132719211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000132719210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132719209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000132719208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000132719207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000132719206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000132719205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000132719204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000132719203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000132719202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000132719201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000132719200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000132719199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000132719198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000132719197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000132719196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000132719195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 23542300x8000000000000000132719194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D5243EB3D64E4AC430DA6155D6669D5,SHA256=3FD4621D2311BE32186EC0441852779ADC6010EBF80083AA7FD479428D6AACCA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000132719193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-8530-61B1-3C00-00000000CE01}36683688C:\Windows\system32\conhost.exe{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132719192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000132719191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000132719190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132719188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000132719187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132719186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x8000000000000000132719185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-851C-61B1-0500-00000000CE01}412428C:\Windows\system32\csrss.exe{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000132719178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.884{3BF36828-852F-61B1-3500-00000000CE01}25683752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000132719177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.871{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-851D-61B1-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000132719176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.775{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBEA2E47C58BEF8CA17F142FBFEBB7E4,SHA256=3E7E6BDC59D861561779BAE431D25B0447ED0AE57A147DA16437A385048B8639,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.712{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B59ACC83610DA59487379D5EE7C74A48,SHA256=A46FDF0669181ABA98388ED113470559492CA4928E2D6B565548D5B100834AE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.650{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D54F5B4568AB323FF96E987A5A1A8EA4,SHA256=B6D501DF590F9D6AC7F71C46AA7243ADEECA35BD45BAEBCA91991EB32C400A9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000132719173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.525{3BF36828-52EB-61BA-5B09-01000000CE01}54084564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132719172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.525{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000132719171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.525{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000132719170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.384{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000132719169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.384{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000132719168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.384{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000132719167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.384{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000132719166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.384{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000132719165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.384{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000132719164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.384{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000132719163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.384{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000132719162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.384{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000132719161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.384{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000132719160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.384{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000132719159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.384{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000132719158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.384{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000132719157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.384{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000132719156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.384{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000132719155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.384{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000132719154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.368{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000132719153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.368{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000132719152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.368{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000132719151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.368{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000132719150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.368{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000132719149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.368{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000132719148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.368{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000132719147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.368{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000132719146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.368{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000132719145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.368{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000132719144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.368{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000132719143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.368{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000132719142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.368{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000132719141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.368{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000132719140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.368{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000132719139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.368{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000132719138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.368{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000132719137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.368{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000132719136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.368{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132719135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.368{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000132719134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.368{3BF36828-8530-61B1-3C00-00000000CE01}36683688C:\Windows\system32\conhost.exe{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132719133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.368{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000132719132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.368{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000132719131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.368{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000132719130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.368{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132719129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.368{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x8000000000000000132719128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.368{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.368{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.368{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.368{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.368{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.368{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.368{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.368{3BF36828-851C-61B1-0500-00000000CE01}412408C:\Windows\system32\csrss.exe{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000132719120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.368{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.368{3BF36828-852F-61B1-3500-00000000CE01}25683752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000132719118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.358{3BF36828-52EB-61BA-5B09-01000000CE01}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-851D-61B1-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000132719117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.353{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A48A4A73080A94C241A12C157E68DAFB,SHA256=6F02315D6B32EF33EBC0099E5AD6B932D9C3910099B78E238F9035DBF8208531,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.290{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B763562E95685FFD9AEE0B12AAD2DA1D,SHA256=C0352A0CC9D48ED22A032E278006463CFFC4E8EB5A1799C8C7B71550BF8E70D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.228{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45A0492EE7BFA4A46AC72B3218AFD289,SHA256=4057A64E6499414078DE079860335CD1C1FB5FD95833436D7E09A8CA896E5CD1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.197{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2424048243B0F35B90A5ADE5F174EFD,SHA256=4702F537C80C08BF6AC9C0520656C612C7C59E887B6C4E082733ADEBFCC55562,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.197{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3F85C8AC22293B82440F8E14F4528EC,SHA256=33067F13AA2499B42E388724DD98D3560440A084318D2729E77D84616D4CB391,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132719112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.026{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000132719111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.026{3BF36828-52EA-61BA-5A09-01000000CE01}21724400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132719110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.026{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000132719109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.026{3BF36828-52EA-61BA-5A09-01000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000064847455Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:16.534{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A40EE32E16F6C4BF632F8F3DE3DFA32D,SHA256=D982EA117C1691DD690180486CBD16C6CA82EA1005F82251A73B7E72F4DC0104,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132719355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.978{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000132719354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.978{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000132719353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.978{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000132719352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.978{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000132719351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.978{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000132719350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.978{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000132719349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.978{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000132719348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000132719347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000132719346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000132719345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000132719344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000132719343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x8000000000000000132719342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000132719341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000132719340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000132719339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000132719338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000132719337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000132719336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000132719335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000132719334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000132719333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000132719332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000132719331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000132719330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000132719329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000132719328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000132719327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000132719326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000132719325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000132719324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000132719323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000132719322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000132719321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132719320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000132719319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-8530-61B1-3C00-00000000CE01}36683688C:\Windows\system32\conhost.exe{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132719318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000132719317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000132719316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132719314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000132719313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132719311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x8000000000000000132719310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-851C-61B1-0500-00000000CE01}412408C:\Windows\system32\csrss.exe{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000132719304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.962{3BF36828-852F-61B1-3500-00000000CE01}25683752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000132719303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.954{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-851D-61B1-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000132719302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.947{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FCFD6D966A673E786EBDC93F932F2297,SHA256=D89E0012174036EF64C9962A70B81A91D60B0F962A012D23C78DE58F10DC1337,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.884{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DC4FB08E00048264FBF765129586E8F,SHA256=07A7BE230625E0F85FA976773373F9C7575944FD7A9AFB8D418B13554ED0FF7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.822{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=739EFDF17922E19F3703AB55D4784610,SHA256=FFC060AD1DE25CC301EA5698BEB708AF403044EBA88631839746C21C2C155FE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.775{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCA78F54A1B33E555680DF3B20DEE9FF,SHA256=0DF2C295D83006549E3AEC90073F5D8D27817E4C8B881293D0AC3A639D7AD318,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132719298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.619{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000132719297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.619{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000132719296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.619{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000132719295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.447{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000132719294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.447{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000132719293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.447{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000132719292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.447{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000132719291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.447{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000132719290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.447{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000132719289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.447{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000132719288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.447{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000132719287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.447{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000132719286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000132719285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000132719284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000132719283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000132719282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000132719281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132719280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000132719279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000132719278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000132719277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000132719276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000132719275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000132719274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000132719273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000132719272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000132719271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000132719270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000132719269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000132719268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000132719267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000132719266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000132719265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000132719264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000132719263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000132719262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000132719261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000132719260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000132719259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-8530-61B1-3C00-00000000CE01}36683688C:\Windows\system32\conhost.exe{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132719258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000132719257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000132719256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132719255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x8000000000000000132719254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-851C-61B1-0500-00000000CE01}4123064C:\Windows\system32\csrss.exe{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000132719244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.431{3BF36828-852F-61B1-3500-00000000CE01}25683752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000132719243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.422{3BF36828-52EC-61BA-5D09-01000000CE01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-851D-61B1-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000132719242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.415{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FCAF83A0B2AB74D1A8DAB699A2FA032,SHA256=793700C805FEC157DDAA9B9FF7F5D7FB5489B9A470AB4DC2642B5686F30119A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.415{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB490C49DBE6CCCF20D4EEB5BEFB919E,SHA256=65BC8CE4A225F76728DEFF808D57666E52AB2D80CE480425DA6CF3146823A3D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.056{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B30115886AE35E5DE429575C30FFD881,SHA256=31C9048D6A2874DC64C863F947C783A19388613BBD6D2FCB17B9B08E0E33FFE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132719239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.040{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000132719238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.040{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000132719237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:16.040{3BF36828-52EB-61BA-5C09-01000000CE01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x800000000000000064847457Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:15.966{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52874-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000064847456Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:17.616{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8B4F6772528A066BC6E5AEECC3C8FDA,SHA256=EEDA56114E84187BE3298BF34DA9F3BC22771AD03A93514877D57E691E725840,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:17.603{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0F72C95E163735C9D4839E514BD4AB9,SHA256=ED1F016067D26B5D2068508CF6FED4E09DEEA174B67FE8112952E54ABF77D889,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:17.603{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=718A5411FBBC5B502B2000C6C4AAC89B,SHA256=281402D26E520350192C325F7DD2B82047263373EF5B39CCDC62900D53401786,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:17.244{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=363A41E4CAAEF026D80172E507C205D9,SHA256=490F3674A992438A2D51541B279FA779B8115F175C5D811E63DCC3C888D545FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132719362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:40:59.278{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60071-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x8000000000000000132719361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:17.134{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000132719360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:17.134{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000132719359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:17.134{3BF36828-52EC-61BA-5E09-01000000CE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000132719358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:17.103{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=526D41D13854DB12931AB5FD8250DA26,SHA256=7360D5C5000AA6F9E4D6ED76D31BDE12CA2EA9658DECAD4B165B19CA807A4413,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:17.040{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C246127587864051F0EEB8785C0BD24,SHA256=1760EFE3A69F6703D5FA24442215CC33D8026D8DD7F66FDF56743D16C77562D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:17.009{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CD45AD54D23EA958FD9A4D312A5D820,SHA256=3FF0248CDDE5AFBC3710BBB38D4EAC9A87EC58FA835F3E9037D53C072D1B8383,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847458Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:18.633{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F04ADDCEA16AA2690BEFE44E1583C2D2,SHA256=AC26B8AE2573588347E135C07671D9E7020D31E1A9AC6DE6D5E58ACB80075D40,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:18.743{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDB7674F12E8F5439E0276295F8DFE15,SHA256=406B17D1D076C4FA23DD30B3113EBDCEA143692FEBA91B9E62AEAC6A87EBAA36,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:18.618{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B7DE218E52EB0B10FA22C74AD0B6031,SHA256=5346A6FBB8F57EA337608B580FB74D703FCBE2B7DC8A0898D1BBFF88083561A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847459Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:19.683{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA41F3D80A816A256BAF7512AB505C77,SHA256=8D36AEEDCDB187B3DA44729039DE89CC63C8EC045A6E24B907B7C08C80667D86,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:19.884{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E8A4476B06A91B628EC3430B12E7226,SHA256=47358DD5C08644D72374FBDBAC5BDE1CC919CC064E5F834F683FA580F4A26E74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:19.650{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E153D5A2C81833DDF243B893CE43561E,SHA256=E77EB37A64F0B2AE88B422D4598FCF7E2D099B954D1B450ACF783D91E31E5CA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847460Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:20.733{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E57EA7BA6175DEBDDDCF4163BA03886,SHA256=039C6D680A1E4258A7614B7447BD9645721CB16B34AEAD86D0ADFC57056540A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:20.681{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1267CC25563A41A0C9EC97F901C34F00,SHA256=7727AAEBBDD42FED5847154BDC0D91FA4E4AB7EFD7BDEBAA1448ADAB2DC0C45B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:20.603{3BF36828-852F-61B1-3500-00000000CE01}2568NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000132719372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:20.509{3BF36828-851E-61B1-0D00-00000000CE01}8964504C:\Windows\system32\svchost.exe{3BF36828-851F-61B1-1600-00000000CE01}1268C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000132719371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:02.372{3BF36828-851C-61B1-0B00-00000000CE01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local60072-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000132719370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:02.372{3BF36828-852F-61B1-3400-00000000CE01}2388C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local60072-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x800000000000000064847461Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:21.952{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=016741E3A65495F2FB6E59A1600B2C0F,SHA256=1161E0C9125E82D43D32BC4BAAD06C1990A18EE32590613148D7681D011F14D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:21.712{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC71A52DFC10D2162AF6BA718E74D34E,SHA256=6EFFAD027E446EE454EA299270A231FA27CB053B1C6A91D23F3EC44F5AA8C3FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:21.056{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20268010ACF67BF2FF0234D4F1495B99,SHA256=D3891DFA392F5A69E3B2601CE6BC38C0A64DF1CCEF841428A0BA8FEF8B717E60,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847462Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:22.969{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F783FD6141C118FCF88B5788A6300C2A,SHA256=1892114BDB476E6BE30666FA98FEF2469C20A37B5C54DB5DE4556F4DD2FFF04B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:22.759{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17147331C82F4F6BEC505AE6582E2F4B,SHA256=D7C9A8448196853FE714DE5324C0F8A1FB6BD85019C027F1693809C1C8B6BB90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132719378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:04.637{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60073-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000132719377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:22.197{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60F97071B55A59D4C777B5EE7E83C3AE,SHA256=73D93BECA3C7CE432612D15F207AA18F1430979C655E253A410C840CF9DE592B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:23.759{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BE51CD415A777DFDD580E6E4F64BD84,SHA256=0F9005B938F69F945D0FB73C7373E526772546233462C9482FD2C77AC1A88CBC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064847494Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:22.010{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52875-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000064847493Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:23.767{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB4-61BA-B200-00000000CD01}4404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847492Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:23.767{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB4-61BA-B200-00000000CD01}4404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847491Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:23.767{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB4-61BA-B200-00000000CD01}4404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847490Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:23.767{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB4-61BA-B200-00000000CD01}4404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847489Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:23.767{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB4-61BA-B200-00000000CD01}4404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847488Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:23.767{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB4-61BA-B200-00000000CD01}4404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847487Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:23.767{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB4-61BA-B200-00000000CD01}4404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847486Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:23.767{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB4-61BA-B000-00000000CD01}4280C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847485Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:23.767{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB4-61BA-B000-00000000CD01}4280C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847484Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:23.767{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB4-61BA-B000-00000000CD01}4280C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847483Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:23.767{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB4-61BA-B000-00000000CD01}4280C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847482Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:23.767{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB4-61BA-B000-00000000CD01}4280C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847481Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:23.767{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB4-61BA-B000-00000000CD01}4280C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847480Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:23.767{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB4-61BA-B000-00000000CD01}4280C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847479Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:23.767{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB4-61BA-B000-00000000CD01}4280C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847478Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:23.767{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847477Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:23.767{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847476Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:23.767{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847475Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:23.767{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847474Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:23.767{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847473Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:23.767{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847472Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:23.767{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847471Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:23.767{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847470Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:23.767{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847469Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:23.767{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847468Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:23.767{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847467Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:23.767{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847466Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:23.767{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847465Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:23.767{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847464Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:23.767{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847463Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:23.767{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000132719381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:05.153{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60074-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132719380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:23.447{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE71D48372F68435306A213AA8C66565,SHA256=3ACA764AB9770B9B714E0D6309D4876B5BC1617FB86CFD8B1CFEBFE8FAE08680,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:24.947{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=977D8B531062A72FE8FC725519D53CC9,SHA256=09A25FDC7D19A96A4CCDDA258A5D2C5C04EC1FB61AF568310C52A27B6A1CAC68,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:24.947{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C84699627EC134E1AC41547CCD4519C,SHA256=EC9C8E6A9FEBE5031FDCF7C8DD1894C26BB78FEC3539407FE105A5C7584F242E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847495Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:24.451{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F09CC0DE5F9EDD988C6759695CDED2B,SHA256=14BC9C766ED233B129FB495A0E296D24F8FD40362BB3BC557306DF686F7725E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:25.978{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D11F8EC7195F5F79343CCAEBEEB0509A,SHA256=E804F5B2D68E481939FB63A963A6BE6561BD4E90A9DE153C080A4943C768E7B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847496Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:25.681{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7392F8F7939EAAA5F86E294AA9C1B27A,SHA256=49347A8589AF404CE0BEE7D2DDA85C4DA9EBA64499A8580B2B1FDF5C22CC6BA9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:25.572{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACB70724F0980937814343CB3559A158,SHA256=0D651EA266655DE2E3BA6A20C7E8AF91858D3D3D3428241D47DCF1CAD18DCB4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847498Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:26.730{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=840AC4F15F03EEFBDE4FF83178EBECAC,SHA256=49B847183CA8858AABD22B1AF56AD063FAAD7FEEC2AEF519EA1B8FB1A728D766,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064847497Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:24.728{B81B27B7-1E7A-61BA-1400-00000000CD01}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.15win-host-987.attackrange.local52876-false104.74.71.16-80http 23542300x8000000000000000132719388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:26.682{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E05F6D3B7EA16A60A0D92C392E8812F,SHA256=5A5757D30B09CE4AF8FA6E9ADAC8078F20D22F5B5E10C3B5A76D4941EE3D700B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132719387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:08.986{3BF36828-852F-61B1-2E00-00000000CE01}3040C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal62301- 23542300x800000000000000064847499Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:27.734{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A62D8F6C5B7F6ED91CE1EC4445969FDF,SHA256=72A8961836F277A87B3AF6F5B20B7EB41B5843B455007D35545DB2EE9F7B33A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132719390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:10.262{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60075-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132719389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:27.009{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95712B44CDFE3195E60BF21FE4558DA7,SHA256=C6C319F4249E05A4A6182768ED8FABFAEFD1099A1BEE92B2F5BE4C72E4348F81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847500Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:28.765{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DE9999B78B59CF91EBFCE5DFF47A540,SHA256=1D739B394CB035404724749C563BB387EEA965F66F4B9203E83DAFDC5E8DBAC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132719393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:10.746{3BF36828-852F-61B1-2E00-00000000CE01}3040C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal49312- 23542300x8000000000000000132719392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:28.181{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE1376E0EEA2ED00208A8239A3564CD0,SHA256=649FE634BCAAFC4EC5B82B4FD8FE1BBEF877DDB78459D97D4A347593FE737D2D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:28.181{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50848AE1E497988961FD75968CB12643,SHA256=2B3A396ACBB0CA253B0EAF0B78DC0882FF5C6C8E23CC9B5E0C8EB9F81CAEC62C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847502Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:29.866{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC4A018F97C1863210BA0EDA03DE42CF,SHA256=5FD55727666DCABACEC4417FAAB2E101F541F1925B726BC24BBBBCD2228CB936,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:29.322{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B1E7F45FB73177B28936856E7DFE439,SHA256=06B188E39C17F577659E32564139445AA29B33759571571C32287B3A17B4105C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:29.197{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FAD6DBFFCB1D3CD10292745203B14FE,SHA256=D71F2ACD15EE2731A2257260091D76E8E12E6DEF0F78307C8E11920B36DA9A05,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064847501Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:28.008{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52877-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000064847503Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:30.881{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F47BE9A3EE115DC8C5A4C64173841294,SHA256=2C224B9DF4784C9FE8510DE3DC438CAA0D41BF43319CFC72B180A9D9DBCDBE92,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:30.465{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E195C267A9FE5E55527E1FED29C1807,SHA256=3A3DF6A3C386AD9AA9F4697C017B37A6D0C78A14863F524ED09A93FD4B73AA91,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:30.231{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=835867BD879598CB001AB49647CB5827,SHA256=9AAF2205729C6ED3CFB7F3745E96C8F17129A7E06BEE77F745CAFA9F72D1EEE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847504Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:31.930{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16AB086CA348F8653D54DE966CCC5F36,SHA256=EDE512E72AA547F168ED63F01618C1B2040636B197E0632A0FC1B214531B7668,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:31.512{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84EAF8B5CBDD8595700F6F2432AD1AD1,SHA256=2155A708E509861FFB2A1A3D30B7720FF0BF60C828CB3360836010BC378ED200,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:31.247{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9672C47BAD38EA87743E1A8D7F5D52B3,SHA256=A9BBA7AD9E2796401D6D5F86BC6953A0E2F194A8949F51F3817E0440A5517E86,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847506Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:32.967{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89F32658B082F447AB88DD6482536EC0,SHA256=4FA16A94240BE9A844518D24502E3D2F1D2D737FAD14B43AFAD1D8024393BD5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:32.653{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85D73876D01CF8D037598F26174014FF,SHA256=DAFAD3780C43FEB307DB1B0CA5F94B1FEA6BCB9808DEE974CD1D63C183CA3F9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:32.262{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=666852C5541FF9F1216AB6E7155C9D7E,SHA256=BC03660B218B48DE60AFE7B3187A80C6024C0707F92CDEBDA12130233B46EBF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847505Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:32.567{B81B27B7-1E7A-61BA-1000-00000000CD01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C5C4B680FE50FB34FC2FBFB903B4158A,SHA256=004A3DEB8A671F3750A2CE9C4688053573110DF4339FAE003ACFEFDAF66A252F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847527Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:33.982{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=437D6DE8171F2FA9685C9A9460ED6F52,SHA256=F763E79F4636029366F317250136B09DC541247F518C447EA165747D69CAEB69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847526Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:33.982{B81B27B7-1E7A-61BA-1600-00000000CD01}1184NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=901780EC1F9A9A9FB58D43E2EC7C03C0,SHA256=7321F37E7D50B2672448C6F6284C83EA13189EF9E32BD5535B2204AC3CF5FD41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064847525Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:33.982{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1400-00000000CD01}368C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847524Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:33.982{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1400-00000000CD01}368C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847523Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:33.982{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1400-00000000CD01}368C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000132719405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:33.903{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E4F2929A28803A22197E7F6520A9111,SHA256=293126C910C5139D76747DAB44DAA3B016274E3D3DC34B5CABDBD933ED762297,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132719404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:15.281{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60076-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132719403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:33.575{3BF36828-851F-61B1-1000-00000000CE01}92NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0B1C714035924DBABB3F2D11C7C75F67,SHA256=2B5EF861BC9D2EA62A1788ED23BB7EE47ACB25A99A4F4BB833F281A9F968DEE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:33.465{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46A12319C178FE6D8B78DE4B928BA097,SHA256=AF5FA82240A028149C288740A32AE308657DF6D8182F8DAD3DADE06E48E3398B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064847522Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:33.966{B81B27B7-1E79-61BA-0B00-00000000CD01}6366996C:\Windows\system32\lsass.exe{B81B27B7-1E76-61BA-0100-00000000CD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000064847521Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:33.535{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1400-00000000CD01}368C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847520Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:33.535{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1400-00000000CD01}368C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847519Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:33.535{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1400-00000000CD01}368C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847518Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:33.534{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1400-00000000CD01}368C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847517Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:33.533{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1400-00000000CD01}368C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847516Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:33.533{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1400-00000000CD01}368C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847515Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:33.214{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1400-00000000CD01}368C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847514Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:33.214{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1400-00000000CD01}368C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847513Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:33.214{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1400-00000000CD01}368C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847512Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:33.214{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1400-00000000CD01}368C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847511Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:33.214{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1400-00000000CD01}368C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847510Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:33.214{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1400-00000000CD01}368C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847509Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:33.214{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1400-00000000CD01}368C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847508Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:33.214{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1400-00000000CD01}368C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847507Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:33.214{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1400-00000000CD01}368C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000132719409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:17.382{3BF36828-851C-61B1-0B00-00000000CE01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal52879-false10.0.1.14win-dc-128.attackrange.local49666- 354300x8000000000000000132719408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:17.379{3BF36828-851E-61B1-0D00-00000000CE01}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal52878-false10.0.1.14win-dc-128.attackrange.local135epmap 354300x8000000000000000132719407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:17.266{3BF36828-851C-61B1-0B00-00000000CE01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local389-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal49313- 23542300x8000000000000000132719406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:34.497{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E44CA8CF875D65CBE5FE5C2D7EE8110D,SHA256=1CBF69BC925CFE6431B48A54A9C3D053639EEAC30B1095BCD9F4E51D40975471,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064847532Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:33.110{B81B27B7-1E79-61BA-0B00-00000000CD01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52878-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal135epmap 354300x800000000000000064847531Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:32.996{B81B27B7-1E79-61BA-0B00-00000000CD01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-987.attackrange.local49313-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal389- 23542300x800000000000000064847530Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:34.566{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20407F68C3C62F5AB0BE74069E61AB52,SHA256=FBE76337D61518735F250B59EBA9C350B8A23DEDFEE1A2157646B5422DF75F86,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847529Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:34.566{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F46B60740F47A94C10AF442B933673C1,SHA256=42EE95043EC91A7D5D5BD39C6B54FA055D3D366C482D177FB4A4C7982FE46A7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847528Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:34.113{B81B27B7-1E7B-61BA-2000-00000000CD01}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132719415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:18.020{3BF36828-851A-61B1-0100-00000000CE01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal52882-false10.0.1.14win-dc-128.attackrange.local445microsoft-ds 354300x8000000000000000132719414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:17.700{3BF36828-851C-61B1-0B00-00000000CE01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal52881-false10.0.1.14win-dc-128.attackrange.local389ldap 354300x8000000000000000132719413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:17.589{3BF36828-851C-61B1-0B00-00000000CE01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local389-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal49314- 354300x8000000000000000132719412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:17.579{3BF36828-851C-61B1-0B00-00000000CE01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal52880-false10.0.1.14win-dc-128.attackrange.local389ldap 23542300x8000000000000000132719411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:35.528{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=838DAB1AFBE7814DCFD44FB196CCEA21,SHA256=C476E6B2CB7FECAFEDF1E52FABEA7B52EA5844441304A05572A10F5AB28796B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847533Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:34.997{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B2179C8C40F5C2F3049E6AA622055C6,SHA256=F34822810A9EFBB4DC9ABE22A1F8AB9EAD783308EBC0E5D096E4510A6150A869,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:35.153{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51394AE3B25B84B83D1D86C3131C7357,SHA256=6855A0AD9C0C0339C7C8F422673550DE1CDB7990CC72F78B0E217E527DE5CA4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:36.541{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87EA007427E0CBC9522995CFAB3DAC76,SHA256=E906E17BA4D56975EE19E3B31BC978A9AADCE12AE1C3C14DBECBDAC340AD9130,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847540Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:36.049{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC06C8D3BC2D23E9C856610DBA8F2837,SHA256=3CBBA7F7E46C63CCB043DA7554B4E9CC77679F9679476F388278A4F54BD89588,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:36.182{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17546382464C1EEB67848F6CA7DE9A79,SHA256=427B131933044F5345BB2E751112ADBFA5081B027016BB07D715AE17A0D94777,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064847539Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:33.946{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52884-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000064847538Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:33.878{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52883-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x800000000000000064847537Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:33.751{B81B27B7-1E76-61BA-0100-00000000CD01}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52882-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal445microsoft-ds 354300x800000000000000064847536Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:33.431{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52881-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal389ldap 354300x800000000000000064847535Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:33.310{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52880-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal389ldap 354300x800000000000000064847534Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:33.112{B81B27B7-1E79-61BA-0B00-00000000CD01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52879-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49666- 23542300x8000000000000000132719419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:37.577{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC4C01D29E5E48334A6C03F819793C31,SHA256=A205E6FBE033858AA5C71303B2A8B035024EB526E5DAE3CEE7293C75C2478D76,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847541Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:37.264{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=219E85C60FF899082EAC073632BB3A6D,SHA256=E80CCD61613C241C2A53BAE77D909D20E7BFE72617895C048D90A1929680E298,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:37.437{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F38D3A7448CB47F9097AA241222FFABB,SHA256=0D9848A1750D44AA9CA76F5F4F3B2D357968953979EB133D05AEEE00344E4D27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:38.780{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF9D8DA6F3FDF9C0A80DED84065FCFC3,SHA256=23E6FA24D31A61699A16ADE93F1A14EEF5AEA5AC717A10701B11978715A51BD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132719421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:21.268{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60077-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132719420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:38.624{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAB9A895BAA5006F65CB5C26959A431D,SHA256=19CD81F012A26369A76D4BC65163907E7D7A13C97366FF86B8AC67CB70297DD1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847542Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:38.294{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795DC81A414A5A2CC8008644ABC55577,SHA256=1E0082FC29B9722F215B57EEDD0BD1775D9DDCE8630537DC48A4BCDE81DCC2A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:39.923{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=438ADB3B930FBDA18149AF14392F47A2,SHA256=E5BC5063CBF84DF4412B1042E10EC5674764938C7F5E888A8F044A9B066D9A77,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:39.640{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F018422938B4B5074494CABAD30DD36A,SHA256=60D2BD3100FE814F74E71D5CBB17759FC0F96994D7E4150A80A7C82328854240,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847543Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:39.431{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0424258EFBADE7B319DFB3B30D1ED7A,SHA256=6DAFCFC49D8A5574BBB3EEAA1D9251D2C1AB077CFBB091CBC846D81E4CF66224,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847545Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:40.592{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8731F00A8A6F723176B0F8146C5C8A11,SHA256=99EC655294280037F8314160E9CCA0AD30A4ED88E570B193B51002E2075E2B84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:40.687{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=143BEE61FB55778A66F3FFFBEFDA3E5F,SHA256=E7FD24076D59DA89EFAE6824E0A6FA57AEBD2009933F675714B02E2113046EC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000064847544Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:41:40.046{B81B27B7-1E7A-61BA-1100-00000000CD01}964C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7f1f4-0x297374f0) 354300x800000000000000064847548Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:39.804{B81B27B7-1E7A-61BA-1100-00000000CD01}964C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-987.attackrange.local123ntpfalse169.254.169.123-123ntp 23542300x800000000000000064847547Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:41.607{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5BEB2309E7D9CA5E24B542326B36B44,SHA256=53B3C52BB1450949A14AE76B4FBD172F40BDD72EC473E125DA1661FC9878F233,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:41.718{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AD4690E015C61CA59348D70D6E817B8,SHA256=180C7B1A9486591CFD1E5F85B2CA2DB1AFCA1A46C37CA8DF040A1CF2C847B78A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064847546Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:39.005{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52885-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132719426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:41.062{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D63C07518EDD381175FE13F3658AA8F,SHA256=CCEAFD1BD79B380C4AB20BBBCFA544DDC2C31A5C71F19077034C3104F65D3718,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:42.734{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=439DE870901DCD522C12F095039BAF2C,SHA256=D55C73059D2222ED5950A6E79E68B806E218EA156D0BE7534103D3736A778A2D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064847576Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:42.928{B81B27B7-1E7C-61BA-3000-00000000CD01}31843208C:\Windows\system32\conhost.exe{B81B27B7-5306-61BA-5A07-00000000CD01}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847575Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:42.925{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847574Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:42.925{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847573Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:42.924{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847572Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:42.924{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847571Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:42.924{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847570Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:42.924{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847569Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:42.924{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847568Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:42.924{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847567Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:42.924{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847566Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:42.924{B81B27B7-1E79-61BA-0500-00000000CD01}412428C:\Windows\system32\csrss.exe{B81B27B7-5306-61BA-5A07-00000000CD01}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064847565Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:42.923{B81B27B7-1E7B-61BA-2000-00000000CD01}11963772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-5306-61BA-5A07-00000000CD01}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000064847564Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:42.923{B81B27B7-5306-61BA-5A07-00000000CD01}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-1E79-61BA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000064847563Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:42.628{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A013BE6ECC8DC6FDE70EA1995922E82,SHA256=BB087925C17FE357EB6E8C1946E29937B1653F2251D44B5CB1749853C5CE519A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064847562Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:42.428{B81B27B7-5306-61BA-5907-00000000CD01}10604636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847561Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:42.244{B81B27B7-1E7C-61BA-3000-00000000CD01}31843208C:\Windows\system32\conhost.exe{B81B27B7-5306-61BA-5907-00000000CD01}1060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847560Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:42.244{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847559Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:42.244{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847558Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:42.244{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847557Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:42.244{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847556Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:42.244{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847555Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:42.244{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847554Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:42.244{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847553Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:42.244{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847552Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:42.244{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847551Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:42.244{B81B27B7-1E79-61BA-0500-00000000CD01}412536C:\Windows\system32\csrss.exe{B81B27B7-5306-61BA-5907-00000000CD01}1060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064847550Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:42.244{B81B27B7-1E7B-61BA-2000-00000000CD01}11963772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-5306-61BA-5907-00000000CD01}1060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000064847549Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:42.245{B81B27B7-5306-61BA-5907-00000000CD01}1060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-1E79-61BA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000132719428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:42.202{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22F93970ABC36153FD82586BA905E732,SHA256=29A804395894595197068C6637E5540A1B8856C05FD7EEEF0175EDA9D998C03C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:43.749{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=734A543F37E907BA58B3B69519B5D05B,SHA256=1EE75EEA463C15EB4C943881F5A2795B81777E682148979498712C6C842A05C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064847592Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:43.744{B81B27B7-1E7C-61BA-3000-00000000CD01}31843208C:\Windows\system32\conhost.exe{B81B27B7-5307-61BA-5B07-00000000CD01}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847591Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:43.744{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847590Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:43.744{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847589Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:43.744{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847588Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:43.744{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847587Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:43.744{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847586Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:43.744{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847585Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:43.744{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847584Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:43.744{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847583Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:43.744{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847582Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:43.744{B81B27B7-1E79-61BA-0500-00000000CD01}412428C:\Windows\system32\csrss.exe{B81B27B7-5307-61BA-5B07-00000000CD01}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064847581Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:43.744{B81B27B7-1E7B-61BA-2000-00000000CD01}11963772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-5307-61BA-5B07-00000000CD01}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000064847580Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:43.745{B81B27B7-5307-61BA-5B07-00000000CD01}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-1E79-61BA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000064847579Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:43.690{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1E686B4B42B4F320B5A4FC91E2C8AA8,SHA256=258595435D021FE0A810BBE84751D103EACBAC4D605BEEA4C26182CA5FB92B90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:43.452{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51D728AC7961D8ABF9F944B9F0DF4580,SHA256=5142268E5A215E9BD8DAAE3E45EC6ED5B1297E23BD8922E6C8FED6706C7667D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847578Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:43.475{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26AC63071A5B4FE0CB51FDF6800FED67,SHA256=1A11A7EBFE74671DDEED47C79D17F3989390522B8C75FF44FD02C711CE6052F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847577Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:43.475{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20407F68C3C62F5AB0BE74069E61AB52,SHA256=FBE76337D61518735F250B59EBA9C350B8A23DEDFEE1A2157646B5422DF75F86,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:44.765{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA71E0B436B3D6C28706FF2302D3A4DF,SHA256=0852F93B2F0980DD20A9541602492451DFBA8C0AFE13C57D95B910C413B0B446,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847608Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:44.877{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0024B9948235D714AE95028354B4AC62,SHA256=73BB6E1C239EA577183DC0651A32D64BA7CF84E5B766679F7091AA2B38B91D53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847607Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:44.877{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26AC63071A5B4FE0CB51FDF6800FED67,SHA256=1A11A7EBFE74671DDEED47C79D17F3989390522B8C75FF44FD02C711CE6052F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064847606Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:44.508{B81B27B7-5308-61BA-5C07-00000000CD01}9442148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847605Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:44.329{B81B27B7-1E7C-61BA-3000-00000000CD01}31843208C:\Windows\system32\conhost.exe{B81B27B7-5308-61BA-5C07-00000000CD01}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847604Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:44.327{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847603Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:44.327{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847602Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:44.327{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847601Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:44.327{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847600Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:44.327{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847599Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:44.327{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847598Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:44.326{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847597Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:44.326{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847596Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:44.326{B81B27B7-1E79-61BA-0500-00000000CD01}412428C:\Windows\system32\csrss.exe{B81B27B7-5308-61BA-5C07-00000000CD01}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064847595Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:44.326{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847594Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:44.326{B81B27B7-1E7B-61BA-2000-00000000CD01}11963772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-5308-61BA-5C07-00000000CD01}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000064847593Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:44.325{B81B27B7-5308-61BA-5C07-00000000CD01}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-1E79-61BA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000132719434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:45.780{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E632648D4FDF967F879E6479260C75E,SHA256=3D1A9BAA7E257499CB1836AD9CA4A8C8121638A08D9EF2302E66C3E8347E9DAF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847609Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:45.877{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F5C087A90E1BC8EE6946A0E11E13FBB,SHA256=DDCAEC38FA49A65EBD5EFCE10570D359DA47282CDCD91F29D02D14802980C31A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:45.062{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F74D3CD7AD2AD988CE87E2B440B58EE7,SHA256=6209161DB35F9D30F6693E04CD8B9E8D56A65558F47A2F217F8C411F921BD283,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:46.843{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFA17D9E9237792FFC8054DE74952216,SHA256=96AC58E63F86DF4C276919052017E220156B4BCF4A5C34E09F13A29B9BD55F28,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:46.202{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99BE9C1BBE719FE7B75E342B27EB5DAC,SHA256=0EB91F6ACC5EFA9ADF0CC224FA9F927EB797AF94BBACCE4DE09855776A7C8E7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132719435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:27.142{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60078-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000064847624Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:46.729{B81B27B7-530A-61BA-5D07-00000000CD01}61521248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847623Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:46.545{B81B27B7-1E7C-61BA-3000-00000000CD01}31843208C:\Windows\system32\conhost.exe{B81B27B7-530A-61BA-5D07-00000000CD01}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847622Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:46.545{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847621Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:46.545{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847620Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:46.545{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847619Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:46.545{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847618Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:46.545{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847617Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:46.545{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847616Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:46.545{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847615Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:46.545{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847614Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:46.545{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847613Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:46.545{B81B27B7-1E79-61BA-0500-00000000CD01}412428C:\Windows\system32\csrss.exe{B81B27B7-530A-61BA-5D07-00000000CD01}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064847612Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:46.545{B81B27B7-1E7B-61BA-2000-00000000CD01}11963772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-530A-61BA-5D07-00000000CD01}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000064847611Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:46.546{B81B27B7-530A-61BA-5D07-00000000CD01}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-1E79-61BA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000064847610Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:44.026{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52886-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132719439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:47.859{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DACBFD510D3A80049F33ADA91C8A5C9F,SHA256=544A593312AF8ABCBC2EBBAE2928B3D9D6AEE7BED7808EE6435D955A8B90AB3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064847653Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:47.727{B81B27B7-1E7C-61BA-3000-00000000CD01}31843208C:\Windows\system32\conhost.exe{B81B27B7-530B-61BA-5F07-00000000CD01}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847652Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:47.725{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847651Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:47.725{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847650Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:47.725{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847649Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:47.725{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847648Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:47.725{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847647Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:47.725{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847646Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:47.725{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847645Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:47.725{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847644Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:47.724{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847643Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:47.724{B81B27B7-1E79-61BA-0500-00000000CD01}412536C:\Windows\system32\csrss.exe{B81B27B7-530B-61BA-5F07-00000000CD01}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064847642Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:47.724{B81B27B7-1E7B-61BA-2000-00000000CD01}11963772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-530B-61BA-5F07-00000000CD01}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000064847641Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:47.723{B81B27B7-530B-61BA-5F07-00000000CD01}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-1E79-61BA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000064847640Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:47.575{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D52FF0B647B10813F53D24B2F2692F58,SHA256=541AD22B0B1A45E84823DADBBFB13DE434C5CD693AB47D827D641B1B0535BCF3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064847639Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:47.376{B81B27B7-530B-61BA-5E07-00000000CD01}41726556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847638Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:47.145{B81B27B7-1E7C-61BA-3000-00000000CD01}31843208C:\Windows\system32\conhost.exe{B81B27B7-530B-61BA-5E07-00000000CD01}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847637Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:47.145{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847636Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:47.145{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847635Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:47.145{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847634Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:47.145{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847633Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:47.145{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847632Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:47.145{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847631Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:47.145{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847630Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:47.145{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847629Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:47.145{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847628Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:47.145{B81B27B7-1E79-61BA-0500-00000000CD01}412536C:\Windows\system32\csrss.exe{B81B27B7-530B-61BA-5E07-00000000CD01}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064847627Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:47.145{B81B27B7-1E7B-61BA-2000-00000000CD01}11963772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-530B-61BA-5E07-00000000CD01}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000064847626Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:47.146{B81B27B7-530B-61BA-5E07-00000000CD01}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-1E79-61BA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000064847625Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:47.060{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3620ECD7E58B337F5E71AAD830B7685F,SHA256=00CE40FC1AB37C8D2808874B1711D7068446339ED4AA2AF949D3ED3C157F6098,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:47.390{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C1E0B902A6A7F0EDB820171A307A480,SHA256=1341219231BBED223ABFBD54B2A2FB3F591D199F8C34C8F2AF5A6706E25644B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:48.874{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5C16CBB1F39F6F5D65DC095334244DB,SHA256=C497076B4F7063E1B5AB2E01B5F675514B7C36051ADF71746C9332F0AC346EB1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847655Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:48.824{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0685BC7D2B29C4CF07154F9C69495783,SHA256=A9B6235586EB246861405A5D7E50D806602CEB80FAAFA3E7AFE9A61AF5896C3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847654Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:48.343{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE65ED6156028387E5C9F5B2DCCDE036,SHA256=8C52125C82846F472450DB3F213D2889002F32914771F2DCD8704369616FCB83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:48.655{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44BCA76C6B16C4DDA97C3999305FBC46,SHA256=7C5FC6711BF68DB06244C2D07BE3A48424360A4449ADEB8C71A662BACB9A7A49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847656Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:49.358{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEC4847AA8175C36FC82732208A5EE65,SHA256=B1DE91FF43DAA47F116D87EFAA8DC91CA10478281791D49DA922E1A44C12EF18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847657Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:50.573{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76BF425641914BECE4BE34D676C674AA,SHA256=8F151558CD6B76905FA876BC7B733B03A6B05FC872EDB51B02C9A309DE744A2D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:50.154{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B045D20E5C400CBD710899AA2AC832B3,SHA256=7D018E350349B018D4CABFE21A455AAF9747C7E081D54DFE2455A4A35DC2927E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:50.154{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A59F296F5723634A9DDE3090EEB0A8B,SHA256=E8486186392D3FCD097FE20CFD3B39F7ACB746DAAB58CCFDA78B6FE86DE5A2A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132719442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:32.267{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60079-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000064847659Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:51.741{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AE9C091C95F5C56762893C2C829443E,SHA256=8687F8AA322ECFCE9EA151CBE453CBD9518500E2D0EE814C5ED34CC578ADEAB8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:51.295{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AF645440C15A071D78279A66ACE468E,SHA256=87FD77092926C94164D3DF3009ED88B4B63F9DEEC2C674B1A9F084D274BBC281,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:51.107{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D55B7CCAE0F361B26C760437731EEDCA,SHA256=096CD4E7A446743FCF9D585298D115E7C89E8CFCFA99906C4A4A0E772EABC93D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064847658Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:49.822{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52887-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000064847660Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:52.820{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=611B1704F967598D7B7D7E2404E4A628,SHA256=4847E00EDFD7D8C003F426ADBD0EB736353C6E5C1C4DE4D6F17C98DE521DF8D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:52.435{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7534C0FFDDFE541FF80AF3F5A62FA48E,SHA256=C89F42EEE89E81DB6F662DB6643EB445387C80FC4315ADEB378BC95BA94BC3CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:52.310{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AC7B35BA54C9E71F51BDD3A020FEBE6,SHA256=34F358EA6001E89B58A4E657CA366CC15815210F6EDA93E055BD820132D3AA5B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847661Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:53.870{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD63462EB9BEB24FBCD967DC41059B61,SHA256=C521E3EFD56DEBCDB124E9A02801305FB51A9C82F6A0FBB6C3D646FEE9C018A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:53.576{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C08F92D08940D97F57BF7C74B91B388,SHA256=3D112C2CB4143FE93B76E7BC3005D5B2A48ECF967EDF3CF079409089A6D6FC33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:53.326{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A1BDB6E9FBCE436E9BD35CDAAEE78EA,SHA256=A20377273B7436ECC9FCE26DC2495CBDB92401125429B92C4F61826B210C50D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847662Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:54.919{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2780849E6C173193EC626B0928B14A3F,SHA256=0A488BBB4DB90ABC323CF3EB618FED00DBADA63726785419195C6324DE74316C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:54.780{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA921DC8A1E0A2F3DC54092A463A5F14,SHA256=07363D921720A3550355609CE7174EF700A99184ED8D358FFF9CC509E1554971,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:54.373{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0184E78ADD43B16A1800E861D43BB1D8,SHA256=30108E91424F251CA74870BB74C9E6D7B517A3219308F287C9A27E9872463DF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:55.842{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66D1A91B91859A0ADB2057881890F4BE,SHA256=476E261B658D44C5826613A06602A470131D7D3CA8B9349402D1AC6108AA0CFF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:55.404{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=231D67292F4057C848ED4CE99CD02B27,SHA256=668B757C6685D29AC075B1526403412F27834DB14E75003314C06C41991E90BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132719453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:37.313{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60080-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132719457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:56.951{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A366E7CCB3FEF9ABC58DEDF22AA1E2E0,SHA256=534ED5D53156885AA12DA27BC5FC285B2C4B29EE9AEB95A4D9559EE69A97EAE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:56.435{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90BDEB69DD900F77E530257F6F7744BF,SHA256=EF6D1C9AE5579466A0A50ED5387B6D8E9D26BDD90C56ECC249C584122C9C8161,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064847664Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:54.834{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52888-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000064847663Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:56.038{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F06FD886C1DD145666729FA77314306,SHA256=B716D7B7C79E32DACFAED8484FC03810F342C467CF73F9935E66B4B4577B501B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:57.623{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86EC244415FC35F8EB1D2CE3B06FBCC6,SHA256=A990E50083EF0651397204C7588D477EE6198ABFF4F2AA0809C92613E5130617,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847665Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:57.200{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C51383A13848199F0744CAC65C65E07A,SHA256=9A984F7DC175092B1CA8904AA64093408FA51B3BFF803E1C5B3F68265D9C1311,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:58.638{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5C27A2D08E02EA2058121B1C2945084,SHA256=87C993236D09ED62A7D6C601AA113A41340F8898F36F0801763FCAD32C1353C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847666Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:58.200{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5192FEE3C27C79CEF6A0B196782C6D55,SHA256=843D64CE0D3554B4CA43694081636021D8EA1EB0CCD492F282E813550EA5277C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:58.201{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8426ACB089426198AFDA273213EC5471,SHA256=AB2538D93AFE0B2614B55352C9CA619C4AD0D3BD0A1A812FA5D47843A584BE07,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:59.670{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CF5D228A01546533BE5026EDD1B5778,SHA256=DE760D1F59CD2197BC3EC075AB7EB19671600F8E9D48761E678EDF4EE1F56781,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847667Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:41:59.217{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DF7503FED0873E306CF95E8211010A5,SHA256=AF7FC62CFAB054E4ABC99F8714285E855175CF715F48CA015320A64216A1B485,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:59.435{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED3D3535C7B820155FE66F39679FA333,SHA256=6269AA6E05137C4A0348C9911BE46144D1C4AE653757D998017EF0164346E2D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:00.935{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57642246F590C6F2EBCA0DD4EC795F4C,SHA256=911EA9CC2D22095FF7ECB0B70710782F78066B0AA057FF1CFC34616FEDC77301,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:00.701{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4E6024FB0686BC7CEF674FAA71BEBC6,SHA256=D843EDFC9F0427C696CB779C2A31988EA68F0D34BB2163FEC3F763A18EAF3492,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847668Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:00.238{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BCDDD642D8BD76A0C1CBB93C4D2EB7F,SHA256=F344ABAB6B31C890F646454E83AB8C82047BFDE8DBE1957F3C407658BFFD26A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847669Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:01.453{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B71EFF252E899E019B2B768CB64682,SHA256=52EE11FCD3D3566419C12897DE31F90EB315668E6FB6EAC75BBAB67061888AC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:01.717{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08E6CE9987145EAD4B4B8FF263320B1B,SHA256=A1B76AE2E790DC9743746F2C42F92067221B1BE2C3EAAE5D581E5B144F271C96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132719465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:43.187{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60081-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000064847670Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:02.468{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D12BFB8E91D2A67B012789CE14D4F218,SHA256=F7F064337394D5784EE7DFFBEC416C206A272256BE8524EFA507E2471212E32E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:02.748{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E191AB4B2783043CE5C9F7257488A1A1,SHA256=04B2370D77F70D2808268F84C35D53D9444B46FBB2378AB3DBB3D59CA1ABC564,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:02.201{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=430969CCEBB6AA9519D49482C3F523B2,SHA256=154F12A2D539761690CCA4FA5EE241B20DEB6530996D42EE4D29089F633F25EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847672Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:03.599{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11C10CAD6616120E3F10EEEBF2F394A1,SHA256=E921B2D8BFD61DF8907116968328ED09B457FA0A3F7A1854628A56D400DF8749,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:03.779{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A7F92829EEED48D6E3A0112118DD226,SHA256=29C82AA60ACDD35A9BB3FCA4BF7CD77546987A772B1134293D80E0432D993581,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064847671Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:00.849{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52889-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132719469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:03.217{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5ACE6CEC85103F25F5AF0C49D68B3AA2,SHA256=20C8A7DCEB0FADE3640309743EC11D98F9D377506932F6DE8E8299A256687B7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847673Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:04.718{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3C7500C7E982657B9A0842F15CED942,SHA256=CB2B3114BC79E3BB17287773122811BA2F8EB352E302B157A979DD7DEF544A55,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:04.810{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63DAB2DFBE3C00DAFE926F2693B873F5,SHA256=7C5330D42D700D4CF236D2B46AF2B2FBCD53B10B40F0C9039B76D8191483A779,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:04.513{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F3C5754985150B12B5A10FC8C3594F1,SHA256=8F6FE0419B387D0045A40031E85FF71873E4E01B9953A7F5623EE04467D7169E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:05.842{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F94EE81F6B2B03F134DBC66D0CCBF56F,SHA256=59E34354412947A0F5334174851987A441B59AD652FB7A2B6B8C029877BCEEA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847674Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:05.768{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61070C18EE7111D4F88CE20DD5B247D9,SHA256=6D0C8DC39F5A46356E6542B26D02DEB21CE5BF0CCC3C893C91635DF9F758344A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132719473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:48.203{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60082-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132719476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:06.873{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=613CF8E9BADA6100CBDD34DE81C28410,SHA256=67619EA4EA1BF5AA90FBE2101C252C751B894F030178D871E0BC4BD667BC7987,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847675Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:06.817{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6DE5C001C4E623C804933C75377AE24,SHA256=5E0B5BB0DCF74E7C611EA98631C9C364E64E1E78BDE47F253A17135ACDC0A1D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:06.232{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07F4A529C0F907146F6E0EB16339744B,SHA256=5E6364AE28821A50B27FF79DC5EC79B0E8E9051A7159DF3C92A06D94A34C52FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847676Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:07.853{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62CF2EC7D4CFE733E726DFF2108076C7,SHA256=C4BB8D7DAA18BC12D99B28469DA8A4E65732595F1F10B367558F115B9E198CD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:07.904{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B0ED7B942E3064A34B3AB75B1F952ED,SHA256=2C5296E931A90532514F1B9495959D5FBF4A4210EDE919C1076B9C6DF03F2E51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:07.263{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3DAFDC92348AED5DF2C962CF5E39540,SHA256=8458D9145B77E40CBC6E2B88666E2F0C03572EDE72A2A6BD9716187A9B479893,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847678Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:08.868{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE4E48115716B3EFE5FB64C70131879E,SHA256=91BC6FFE46C40729119123E4B79529534EEA42E01FD4D612E8D966BC3F252029,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:08.920{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32F31697C03DFE00851318961E2C5CED,SHA256=D77AB9FB2CF3A13782D1A60AE410C01B8C63ED13A267E3A11E3EF0244AB1889F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064847677Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:05.980{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52890-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132719479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:08.435{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CD0E44A82019F96B23B347ECD0A2F92,SHA256=1521B0E1C84AB465D480471C50933DD61E8E61A76D240A2C943A25A8DDA55933,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847679Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:09.968{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=267ACDB6EE31A19E28B2733343310970,SHA256=A182FB3D947992667561368BF6621AAA3FDD36ED224FBE8E7426120048045FE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:09.966{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D51CF0B41D4CF2C28C83406A72A93F9,SHA256=7358A2CFE692E592DA049BB79C74F0454B1A4090E0D7DF63023409F56BC46E41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:09.685{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA218E9C5C99B7EC1BD20B54991E5B2F,SHA256=F71AFBD948A956E218A066A1BC2A05628600D44F3B229C7B66A6F2B6B0F20EA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:10.982{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58AB1B42A5083A8569E84643697B8B28,SHA256=7C2793381F35207D9AC78CB5344C12896DCDB8BA50710A6A9A12FEC91E730198,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847680Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:11.020{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06FCA9F7B185CB11F75327F7D1A6346D,SHA256=074119FDF213FB97A262DDB7DD3EE4FB97C2CE85A34DF956F58BFEF3432D4B0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132719485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:54.249{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60083-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132719484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:11.201{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A10BC9F0EAF528053B851F7CBD4EC566,SHA256=699E3D16216CBE6BDA9088A0F8933E2D1804D0CE9D0DABFF0D6D0FD801E4D605,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847681Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:12.085{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FFF9008A02E5CD4211728A85F4D1592,SHA256=4E266895A463E5C6C731D49E7E279A4C2286695A0DD2B7C31F8D8E096BE8E545,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:12.279{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18FBCE5EFA9AE62072EC01E30E20EB22,SHA256=FB67DCD45A30A4568E4EE0202E5424A63A8E665AFC7D8914570D39DDAFCAF348,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:12.013{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=153FF7E8E504AD15E04F63D5D484A8CC,SHA256=255B3300A5316E63AA7668E03AF921DFA85A03FC54FF8A77EADC363EEC40809C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132719550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.638{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000132719549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.638{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000132719548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.622{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000132719547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.576{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29F1B30A60EE5A255F07110FED838B9E,SHA256=2FCEE1EB3D8BC48878FA9FCF5DE4960DA5A9C3608FF41BF90154D94D299AD5B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.529{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7DA85DD4B4DE729940077E58591BB4B,SHA256=C30EAA85A2F2B0371E122A61387B423492EDAD131200634A55572638FBF9BD14,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064847683Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:11.020{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52891-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000064847682Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:13.101{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F45A18957DB9E442B2631338B17CF52,SHA256=3B52EA9A61373A337DE9885B6BCB5E12C2B084F6A1CC9A0E4C9EEA1A2FB55821,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132719545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.500{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000132719544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.500{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000132719543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.500{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000132719542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.500{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000132719541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.500{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000132719540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.500{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000132719539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.500{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000132719538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.500{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000132719537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000132719536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000132719535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000132719534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000132719533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000132719532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000132719531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000132719530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000132719529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000132719528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000132719527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000132719526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000132719525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000132719524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000132719523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000132719522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000132719521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000132719520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000132719519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132719518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000132719517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000132719516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000132719515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000132719514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000132719513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000132719512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000132719511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000132719510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000132719509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000132719508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000132719507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000132719506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000132719505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-8530-61B1-3C00-00000000CE01}36683688C:\Windows\system32\conhost.exe{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132719504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 10341000x8000000000000000132719503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132719502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000132719501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132719497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000132719496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132719495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x8000000000000000132719494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-851C-61B1-0500-00000000CE01}412528C:\Windows\system32\csrss.exe{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000132719490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.482{3BF36828-852F-61B1-3500-00000000CE01}25683752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000132719489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.467{3BF36828-5325-61BA-5F09-01000000CE01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-851D-61B1-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000132719488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:13.044{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49CED1E7526B1245E5A066BC5265CB81,SHA256=2B41C835019D935D2F86F46CC1A057775D8A428479F950EFE444FDBF8D86E919,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847684Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:14.117{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ED5AFDAA911C69156C9A280C2EB1D6F,SHA256=B6B1C0BBEAD3AAFC58D4C7A96424125A0C0DDDCE029A40A31B44CF62DC209B96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.919{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9F361BDA99DAD39A6319559DFA82A80,SHA256=1E9D99595B8B3E4633D70C0D38B8E32B33DF6FF17C44C87D60B1F8A37980C27B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132719662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.857{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000132719661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.857{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000132719660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.857{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000132719659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.857{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000132719658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.857{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000132719657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.857{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000132719656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.857{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000132719655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.857{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 23542300x8000000000000000132719654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.857{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CBDE59E664D02FB5B2694DBA133C868,SHA256=843B3482E2B51AB9489606290361EB4990C36DF6FBF64F9DB26A290A30EE5837,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132719653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000132719652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000132719651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000132719650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000132719649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000132719648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000132719647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000132719646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132719645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000132719644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000132719643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000132719642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000132719641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000132719640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000132719639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000132719638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000132719637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000132719636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000132719635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000132719634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000132719633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000132719632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000132719631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000132719630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000132719629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000132719628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000132719627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000132719626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-8530-61B1-3C00-00000000CE01}36683688C:\Windows\system32\conhost.exe{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132719625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000132719624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000132719623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132719622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000132719621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-851C-61B1-0500-00000000CE01}412428C:\Windows\system32\csrss.exe{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000132719613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.841{3BF36828-852F-61B1-3500-00000000CE01}25683752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000132719610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.832{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-851D-61B1-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000132719609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.826{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E0AEFEF3C83900A7FBAD29E5D87475E,SHA256=2465DB12FB51D58C8DA0F3A5B883512B137DF880C3B2E07ACAA53EF82D29BCE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132719608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.326{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000132719607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.326{3BF36828-5326-61BA-6009-01000000CE01}47124452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132719606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.310{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000132719605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.310{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000132719604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.185{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000132719603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.185{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000132719602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.185{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000132719601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.185{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000132719600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.185{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000132719599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.185{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000132719598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.185{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000132719597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.185{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000132719596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.185{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000132719595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.185{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000132719594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.185{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000132719593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.185{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000132719592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.169{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000132719591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.169{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000132719590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.169{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000132719589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.169{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000132719588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.169{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000132719587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.169{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132719586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.169{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000132719585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.169{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000132719584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.169{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000132719583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.169{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000132719582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.169{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000132719581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.169{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000132719580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.169{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000132719579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.169{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000132719578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.169{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000132719577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.169{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000132719576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.169{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000132719575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.169{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000132719574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.169{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000132719573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.169{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000132719572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.169{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000132719571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.169{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000132719570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.169{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000132719569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.169{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000132719568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.169{3BF36828-8530-61B1-3C00-00000000CE01}36683688C:\Windows\system32\conhost.exe{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132719567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.169{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000132719566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.169{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000132719565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.169{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000132719564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.169{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.169{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132719562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.169{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x8000000000000000132719561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.169{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.169{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.169{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.169{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.169{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.169{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.169{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.169{3BF36828-851C-61B1-0500-00000000CE01}4123064C:\Windows\system32\csrss.exe{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000132719553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.169{3BF36828-852F-61B1-3500-00000000CE01}25683752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000132719552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.154{3BF36828-5326-61BA-6009-01000000CE01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-851D-61B1-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000132719551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:14.076{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACFF3BCE41D8E231A1D51B138A512BB3,SHA256=7563FAA23791175C9DB2181963B962B0BEA93C33390F6743B6B778A6403DED2D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.966{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AC5FEF04BC936E399101E2EDA4899CD,SHA256=ACBC0CF0A617295248FED891CAEC38CC31D33EC374258FE90ADDD8A5417E947A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132719784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.935{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 23542300x800000000000000064847685Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:15.123{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37FE89B6F20CD06AA72CAEF7221197DC,SHA256=9B5F2F1417089F221FF7E21E92D2B5C4FC86132D49A09AA2B13B81251792792E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132719783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.935{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000132719782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.935{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000132719781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.935{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000132719780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.935{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000132719779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.935{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000132719778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.935{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000132719777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.935{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000132719776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000132719775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000132719774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000132719773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000132719772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000132719771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000132719770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000132719769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132719768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000132719767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000132719766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000132719765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000132719764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000132719763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000132719762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000132719761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000132719760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000132719759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000132719758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000132719757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000132719756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000132719755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000132719754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000132719753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000132719752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000132719751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000132719750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000132719749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000132719748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-8530-61B1-3C00-00000000CE01}36683688C:\Windows\system32\conhost.exe{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132719747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000132719746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000132719745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132719743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000132719742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132719740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x8000000000000000132719739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-851C-61B1-0500-00000000CE01}412408C:\Windows\system32\csrss.exe{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000132719733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.919{3BF36828-852F-61B1-3500-00000000CE01}25683752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000132719732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.910{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-851D-61B1-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000132719731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.904{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E094AEA3602821EAA2FF5CE0D5F83F31,SHA256=5A43F0CB17B4C81A4339A6B9476314710734F63B0D3ECFC6BBA1C49AE0587CAE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.763{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4DCFF8289495589A77A850C649A8A83,SHA256=DFF6F56AB33AB3BB3811F669FF11179A85173B9FB6AE22F01C19165F6CCD34FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.701{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF30CF96AC7494FD09B2065E45652C66,SHA256=9FCBC8E5D99BA56D5C83209E8A19D9D979A6C02648821AD3DDD2FE67097F945F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.638{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85487DF9B90783E1F089EF0DDA240291,SHA256=55C5F3D11137BBBD2027D2817C917026AD08329187AF0F4117F982D17D0C0A5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000132719727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.545{3BF36828-5327-61BA-6209-01000000CE01}55124936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132719726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.545{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000132719725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.545{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000132719724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.451{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=598CD48F114BB66E86BF3EB9549A9CBA,SHA256=5F295F27556A05E3BCA3B9B275448E4F7F5BB90A1731F24302EBCDC53FE3417D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132719723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.372{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000132719722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.372{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000132719721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.372{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000132719720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.372{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000132719719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.372{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000132719718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.372{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000132719717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.372{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000132719716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.372{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000132719715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.372{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000132719714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.372{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000132719713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.372{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000132719712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.372{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000132719711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.372{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000132719710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.372{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000132719709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.372{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000132719708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.372{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000132719707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.357{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000132719706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.357{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000132719705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.357{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000132719704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.357{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000132719703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.357{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000132719702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.357{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000132719701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.357{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000132719700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.357{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 23542300x8000000000000000132719699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.357{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFC59F9597BB59608696A9C89F56E874,SHA256=0908726F7D1ECD2DB1F060ED3978FEA214E199DDB09B8A367BEA5077EDE415C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132719698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.357{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000132719697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.357{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000132719696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.357{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000132719695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.357{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000132719694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.357{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000132719693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.357{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000132719692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.357{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000132719691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.357{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000132719690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.357{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000132719689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.357{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000132719688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.357{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132719687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.357{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000132719686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.357{3BF36828-8530-61B1-3C00-00000000CE01}36683688C:\Windows\system32\conhost.exe{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132719685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.357{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000132719684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.357{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000132719683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.357{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000132719682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.357{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.357{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132719680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.357{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x8000000000000000132719679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.357{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.357{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.357{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.357{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.357{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.357{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.357{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.357{3BF36828-851C-61B1-0500-00000000CE01}4123064C:\Windows\system32\csrss.exe{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000132719671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.357{3BF36828-852F-61B1-3500-00000000CE01}25683752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000132719670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.342{3BF36828-5327-61BA-6209-01000000CE01}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-851D-61B1-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000132719669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.138{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8758C56DDE077535E75BBCD43FB2086,SHA256=6233C510AD549AE725A38D6F3AD041A57361F065BAF6D2AD6E4900BB10002C49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.138{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=578A2D826A119D0086B7F2FCB9973FB8,SHA256=61F1BCF62090E4B46015928A1A8D4291F5572239FBCEA5292A0B429691EF3B96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132719667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.044{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000132719666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.044{3BF36828-5326-61BA-6109-01000000CE01}19485864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132719665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.044{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000132719664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.044{3BF36828-5326-61BA-6109-01000000CE01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000132719848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.888{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00FA2EA34E3D5FE83AC31E13F7676572,SHA256=F256597DAD0BB95E6B9777BF86157669F941BEC167BFC62EB8D7711310D6FDCE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132719847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:41:59.265{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60084-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000064847686Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:16.154{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC3A054B2E469A5C6C05765C9AC41A23,SHA256=E1F992D4C19B91E7742044265AC6F923DE978E938C8E38268578B1DE1406F6A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132719846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.763{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000132719845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.763{3BF36828-5328-61BA-6409-01000000CE01}52084632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132719844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.763{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000132719843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.747{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000132719842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.669{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A646755DAA7B96E6D67897BC2889E433,SHA256=184BDEFD037FD51B0DFA08D5B5BBF3965C933DB86C185CC3690DAEF9AD83BE82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132719841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.622{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000132719840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.622{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000132719839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.622{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000132719838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.622{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000132719837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.622{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000132719836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.622{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000132719835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.622{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000132719834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.622{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000132719833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000132719832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000132719831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000132719830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000132719829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000132719828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000132719827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000132719826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132719825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000132719824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000132719823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000132719822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000132719821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000132719820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000132719819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000132719818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000132719817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000132719816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000132719815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000132719814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000132719813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000132719812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000132719811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000132719810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000132719809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000132719808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000132719807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000132719806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-8530-61B1-3C00-00000000CE01}36683688C:\Windows\system32\conhost.exe{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132719805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000132719804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000132719803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132719802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000132719801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-851C-61B1-0500-00000000CE01}412528C:\Windows\system32\csrss.exe{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000132719792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.607{3BF36828-852F-61B1-3500-00000000CE01}25683752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000132719790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.592{3BF36828-5328-61BA-6409-01000000CE01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-851D-61B1-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000132719789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.388{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E97087772EFF1F68DA4F4CB17C74689,SHA256=A67CCA8DC7DC6321478465C8A115BE3C4C675BF4433DB45E8B56D6381A7EBE57,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132719788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.091{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000132719787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.091{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000132719786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.091{3BF36828-5327-61BA-6309-01000000CE01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000132719910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.951{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0294AD8038A95BCCAF5175587B6F8CB0,SHA256=9120F8E58E2CD4CCFA4F7E5FD0312FFD5CB77BD7CC89CEFEE1A1C1D28FBA7A94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.857{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09EF2B6191655617FF8050D5217C28CA,SHA256=B411EFFC136FA67B161F1B11590BFADA00E50FF969E1EED9C7CA5DFBC432C9C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.794{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E76C1C94BC1B5CCD7154CBE536DA1C8B,SHA256=629D1557293EF729797F496F9B2DEB56D70C390B604382237729694E6DC4181A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.701{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=771BB785ECC73C522CE0DEC711BCB591,SHA256=90D4F3B99157FF6BC2F590D7765C1AF45096AE82AA483056B9F069E4C0E174F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.638{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F610F8193383179B30B0885708007799,SHA256=3FEBC63F4E462DAA0EA89C39CA28E8B40E72BC470E908601CC814EF9B4FA74AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132719905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.435{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000132719904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.435{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000132719903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.435{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000064847687Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:17.254{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0F2ADF3CA4C759F45241A1DBE6D16F7,SHA256=B2A7CD99289F46EA727A94C07E9A697938DAED6FDEEDCB342F5675BCBA874FE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132719902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.310{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000132719901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.310{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000132719900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.310{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000132719899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.310{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000132719898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000132719897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000132719896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000132719895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000132719894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000132719893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000132719892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000132719891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000132719890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000132719889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x8000000000000000132719888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000132719887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000132719886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000132719885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000132719884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000132719883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000132719882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000132719881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000132719880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000132719879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000132719878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000132719877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000132719876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000132719875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000132719874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000132719873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000132719872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000132719871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000132719870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000132719869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000132719868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132719867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000132719866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-8530-61B1-3C00-00000000CE01}36683688C:\Windows\system32\conhost.exe{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132719865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000132719864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000132719863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000132719862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132719860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x8000000000000000132719859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.294{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.279{3BF36828-851C-61B1-0500-00000000CE01}412408C:\Windows\system32\csrss.exe{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000132719851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.279{3BF36828-852F-61B1-3500-00000000CE01}25683752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000132719850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:17.279{3BF36828-5329-61BA-6509-01000000CE01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-851D-61B1-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000132719849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.997{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F91C3C4921D0C3496EF9DE51A0C6B63,SHA256=A6DF38C11C3C26A00C04EA8EFE4A4B88D3C1AC0E3EE3E991553641EBBEDE2F0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:18.607{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D80159F7D9982E8EE835FA6952756317,SHA256=55F911361998BDDA884DDA84B5D71C2E6C75516CE188AA6CAD08F03C6A22AC1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847688Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:18.269{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74B09D86973226906922F1FB506F9844,SHA256=EF3B68FFF5E2B7D349B1F46B1C405E620DEA5872F279631C89CBFF8CBAA5B8F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:18.091{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B36A1AE83637A3A6702AAADC6C429236,SHA256=0AFE22833954AE2EFE2CE17D7320D83D5FF94395853088633BB6C3D090BA11B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132719916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:02.374{3BF36828-851C-61B1-0B00-00000000CE01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local60085-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000132719915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:02.374{3BF36828-852F-61B1-3400-00000000CE01}2388C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local60085-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x8000000000000000132719914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:19.716{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=355226F83B96F576A5F204136DB84A33,SHA256=DD22B6951379092723FE6E3EA4127A8708A24B3F18E3B4E68B683C72896F7BA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064847690Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:16.798{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52892-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000064847689Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:19.285{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7502B8DE8849A6128A020311806084CF,SHA256=E10E0F057078EC14E326E0AC8B0B52DDB6189C64C9356C609E0C8AA5AAE62246,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:19.357{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05A37B09639CEB65E8A289FB5A7CB9A3,SHA256=2F9D8EA5B25C11EA407CE9B1C52FE2446FE3E92D0D53A40DC60C1A12C32C1190,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:20.747{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A503DCE978A364065E34481B3F1405E,SHA256=59309F77BE075E3E1BD3A8990B614947575A73475A945C7E9A5A55295DEA1EE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847691Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:20.300{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=835C392E9F43949C1CC5692B44E61D7D,SHA256=A68554166DFD1F82465730B66AE19236E60A17402F9CE0F36CC02587A783026A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:20.622{3BF36828-852F-61B1-3500-00000000CE01}2568NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:20.607{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBC475D5D5E071456FCEB9283A694EBC,SHA256=B364F0BDD4F6AA647E6DE747942DE38ABF3A9AE46653DF4CDA8E65F855B2C264,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:21.966{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49FB74FF37349BE08BCB173976699954,SHA256=E667A6465D4341F5EC6A7F4A187C10B26121F3D8BFA7CE3826BFB3DFF92BAAB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:21.966{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=924EA8A08C1B60DAE6E077260BD78E9E,SHA256=50A0A89BC9FC13FF59F626916C34291A11C1F9634D49E07AD85D13A881B64ECE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847692Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:21.316{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E9D325725B4E4FC1A32648FEF4FD984,SHA256=9230AF2592B0E99AAF30C90C55DCF1B5D129B6A5E46DD0CAB92E721A041F3B2B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847693Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:22.351{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C9AA03C303898BEC7AA9A80A63D4831,SHA256=E4F8F3A9BDF9FC788D5CC2245114FE902596C8E3880266B6ACE9B17C47E4F685,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132719922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:04.655{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60086-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000064847694Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:23.449{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCD09E1159B3C6AF41B67BCA7E503E1D,SHA256=7A6A006A08709E169FEC1D267717C9DDCFB3C9FB41D3C196670A99F6883974CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:23.107{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76CA47371B04C064063C46E8EEF0963F,SHA256=C70F9306EC0E4368240F488A66607F5769DAAC66A2F3B2950AE6747DB431B8F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:23.013{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA75DAE995E7F8B500169346C45E1234,SHA256=2E0598D68E4DBC6E1BC324BFD8039C73779AF5D6B51580150042CF75528D5500,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064847696Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:22.815{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52893-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000064847695Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:24.464{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD16E418FD35189BE4C3DAA85007A427,SHA256=5A43668FFE254A700DA56BA07EC819270E355DA0E3864F438E9BB507172F8654,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:24.248{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4549840B8FBEC011F64C03DF6B9829EC,SHA256=81A908D3921C78EAE13013F75F40C2AFBC43DACC3D0CBD0275C0A30C56EBBB3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:24.248{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8FBCBD09B73CC65CC2F6802BB6A8577,SHA256=A4C4035105BFDAD8BA6AF7CD600DA1E607F647B4FC815DAE7CF90E3701303CF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132719925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:05.265{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60087-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000064847697Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:25.513{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F623C21CE3E378059CC8B057F33E4EC,SHA256=D1FF12A4E84E7E25880C91AA0C89FB7036008D34A755EC3822EE842C0BC4829A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:25.405{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=213A00298314F9D00166747442B922BB,SHA256=856C9EEA080321D4221BFAEB41222FE318DFCA635832080FF97CB1153A75CBDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:25.294{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA678C2017A189A7F4D8F565B7755F08,SHA256=85DE0BC0B6FCBC6F78AE63B82B63CE879117E4E0BEE0551E30104B3167159DC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847698Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:26.532{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEC538049DFA8C27F87FFE41D6301A4E,SHA256=7ED254E28F634BD4A1E541AB7A219EA9C424FF66F5CD2A962C29D6C8E3046085,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:26.544{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDB403E9A2A66A988FC9260F49057648,SHA256=39BF80FDBC97FA1F5612D39DF9C395EB07FDC084A45FB42F38537944393C6929,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:26.341{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3715923622DE5DE8D7DF32C73F1830C7,SHA256=2450E1FA1CE47A0B4C50C6F8A201E7E3F3B2141360A8CA9603C19C5452285C18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:27.576{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C844DD29125F180FD679C945C5642EFF,SHA256=EED6CE637A167414DB5A652F4ADCA82158D9270C0177F8776CBE015AEEC5C9C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:27.419{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6692646E6A7074CF8AD950D6066D7F54,SHA256=CD57F3B679B0C1EF2A3EC469E799ED76AC89FFE9DB96730FF5D2BE9C866D5DAB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847699Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:27.562{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=563AAF5A669D3EF471148942A1309195,SHA256=451A76333EAD199E6EECF42FE57844BEA148D8CB5A9355FEF265C77A9B0B0095,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847700Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:28.745{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88E2DB14640D7DE68512B6FF801F9539,SHA256=8C6CDF961243BAC6615751351579447D3A2ECAF92F6A3F7592D9849F19E1620D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:28.872{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65D5E6EB18922C0E3A608F0B06AA714B,SHA256=3BC607BE7A05EE59D3C430251A4F5948D36C2996AB2C7FFD01A40235623B9739,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:28.419{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5DEED1FD7CBC4952DE47A351F5AE659,SHA256=30A7B5D3E669165201FC410F3AC5BF85EB4B71948CAC9963870693839160D9CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132719934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:10.280{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60088-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000064847701Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:29.776{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5116B481336A659A6ECBF313404CF7D,SHA256=C2B3E132CDE6FCEF51FA67B1E12059A1544DBE6C4E1F74AB872D7D0CCC17540E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:29.968{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A457346B31302595BE97490386461144,SHA256=89C6DBC90F09A4983654A5FF07666CC933214F64663054F4D2E063C77008BD1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:29.468{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99981AB4E240C6E0937E70A58FB5EA24,SHA256=95E12967A8212C5FA101A8A57FC6212E5AE44C2A2A9E1A744CE2A990BEEEF3D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847703Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:30.808{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29D0936A7782E3A75DC7779E808E4C77,SHA256=B130CD46753837CD3A0A8769F73DD4E54C287BC075F14D42F18952494A5520B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064847702Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:28.842{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52894-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132719939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:30.483{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33681AE57D7D9E6C447289225F9FDD2B,SHA256=89127BA73665D7ACD6C30DEF463FC9D1FFC845468E5B108CED10C97B2C684D41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847705Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:31.843{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2ADF864F39FF4767110590720D42D34,SHA256=FAFA85E236EEA88C806B0F48E829D356600A1DF8DEF08120B49951218E0561B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:31.514{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE80D97434C39B8716FD82BCCE08C5AD,SHA256=930082443A2F6FB7425BF182632584CF5A7ABDCB0A65C358C33830E48129091C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064847704Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:31.328{B81B27B7-1E79-61BA-0B00-00000000CD01}6362272C:\Windows\system32\lsass.exe{B81B27B7-1E76-61BA-0100-00000000CD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000132719940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:31.311{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA4840CF97D5321C2B3B4897C1525C58,SHA256=FF6E1690DA2E6E3F13AE9BB39CCBE3D24256B09D17F187E7FFA3C96CF716D928,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847707Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:32.857{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F400240D5D4DE6E3BB878AC6BF13B10C,SHA256=91D55AADBECC76B279130B7E974FCD74D8D6C32814D03642A00D325AB547695D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:32.546{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1D91307727875D3E6B7DB36C865EA92,SHA256=8C88D64A7D50F98485B88AD67A1831D1CE44A2FA7436FC642651B650CFC81223,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847706Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:32.574{B81B27B7-1E7A-61BA-1000-00000000CD01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=087FB3A335B8CD22BC7CBD4BC981C3F8,SHA256=C1F5D081FB708F4733DE8B8E7D89C013D9CBE9A288DB0E186AF5DBB340ECA453,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:32.358{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFA30D172D4C43C7CD3891FA72A03D28,SHA256=36F2E16C74A2A746E3A244B7475B1E112F87684636431DCB5436F0DF7EE5065B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064847709Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:31.114{B81B27B7-1E76-61BA-0100-00000000CD01}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52895-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal445microsoft-ds 23542300x800000000000000064847708Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:33.872{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=126472171325A47A7CA9755B5E6CE128,SHA256=87A8BAB95DB2C70C2D872126DB727471A667DEF72A7ADCE0C9E25BD65DFED384,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:33.733{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=122000F24F2DFB763ACA750EECE8AD65,SHA256=BAB2A01C8CB1FEC2972F134348BCDF3A853EBBB77A7F21C4CC2DED2C600A3148,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:33.577{3BF36828-851F-61B1-1000-00000000CE01}92NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=056197A8210CA592AFB32AC39EA14DF5,SHA256=1DE5D8AAB2A8075A29A3D530C3F0CF048E134DFE60202908A0F212A82E8ACC8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:33.561{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA35AA80D61B9CE9912234A8219D8FDF,SHA256=1631D3449C594B21A48F57361596ACEE3964A1470C132CEDF93606E7CCB77654,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132719944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:15.381{3BF36828-851A-61B1-0100-00000000CE01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal52895-false10.0.1.14win-dc-128.attackrange.local445microsoft-ds 23542300x800000000000000064847711Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:34.904{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E27F4E126F19EB860180AD35CA41F00D,SHA256=B8164BCA633B33E8EDA7FB9BCE65D7C8C26FF8FF7E776CA5636E273726CD5817,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:34.905{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81F4C6E2BFF25BB5A151D6834B33246E,SHA256=C5BCD583086748AAEC1E7100C6DEB640BC75851293CF2FAC32F30207238ADB4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:34.577{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=208378CCCABA41F50C4EC9D92BB119D8,SHA256=79655DBA9F0A0BF09C7007743A540B125B3FCE5FF579CCCD89A37660EA1FEEAF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847710Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:34.125{B81B27B7-1E7B-61BA-2000-00000000CD01}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132719948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:16.219{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60089-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000064847714Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:33.922{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52897-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000064847713Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:33.906{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52896-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000064847712Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:35.939{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF1E2C2507C76B7A18BDFBB2B68060FF,SHA256=2834810EB7C359F2FC514EF23D4B55CEB49CD5407A1E4326292D3059E1621506,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:35.954{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9B8961CE6E378003253BD31DB88A8EC,SHA256=0769BB77DCE0B1C4F8DD6A5D0FB51C0DCF9FE36B258393A6556C1F05EC99B34B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:35.579{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=666EA023EE8E0131C7E269599C99D76C,SHA256=EE771C2C2096D5EC70FB90BFD96F4785E86850E387E96FDC1F1223C23604FBD1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:36.607{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75EC24E3AE4F989914BE76DBEFFA8C0B,SHA256=D3FC7E195DE428CBF81E2EA2874ECA0278D2767EB209275B4395ED0BF3D6E01A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:37.644{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6B6EA9B2F1378DDFD3A82BFF48B05E1,SHA256=E75E3D3F03FF49F33071AE267C51E404DD98E4AA6A82283D0453CB79BD7AAF2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847715Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:37.003{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA2E5C43CC7FC9CBB17A96281EAC311A,SHA256=A44196DCE7B0EB7866C0EADD279BBE6ADE9C9AA21D7ECA6C331DF4CB9D7FDA9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:37.123{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45F988D2FEA59B0A211185E289C08625,SHA256=AA4A94CD9FADA217737A1F44CEF0ECC4E7DB35FDB45563645C16028D52CAA6DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:38.660{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DD7143DD8188C2DF4416F3BB558231A,SHA256=61B85AE7B6DA98F304D1DBCC5A106270B74782FD1000FC5AADEF21BFE5D2BE09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847716Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:38.037{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84722A16AE48208A2DEEEB9A0D7AFC06,SHA256=860147C5123AAAD11DF84C3A60BE1356027421BB433AF8DCD8BB06609BF9E9E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:38.348{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E404D4D1DF159F23182A8DB9EEBAEAA3,SHA256=D6B533A1CE1E21BEEAD38660A9A30A319F46CCC02429D15E9E92A6633E32C9AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:39.769{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=421AEF270275E3039512B1B6B4028DE4,SHA256=57BFC7F847A81FF501F4D78AD356B99818096B51EBDECA254B7D35A7C1698872,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:39.691{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A7E5AA08552F126E2BF0BD7DFFA6D2B,SHA256=B47978885CD8C6E9B647F0E3C7030E1D554CD177C2D3305860A386C63F3ADC96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847717Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:39.051{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12E59A98C772CCDEF732A36A10CB1DBF,SHA256=7C1588713603AD57F4E4A4D135FE1A6BAEBC8CF9B1102D9BC648ADD8AACB86BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847718Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:40.081{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DEDE3E84AF802F9D6D13EBD14849E2A,SHA256=046C76AD8A7DF153BA1A36CD425BCC85EF7C836D3D0FCDC478A78445D35EDBFE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:40.707{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DDC5CDD95DB23BD4321D3F3EC44FA34,SHA256=683010A513E04E5D59E5E79F54D25B331CA8A7D1FAB502E5C3A04B61DD3EC161,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132719960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:22.255{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60090-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132719963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:41.723{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B93F3A1FD41A9B848B1D189EAC3288A2,SHA256=0DDC9305C0C6490A13A6EAC51EC58DEC235909ABB0EE0960075D8325F1DE4225,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847719Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:41.249{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D25C6334CE45EA96F8D740A071158596,SHA256=31AF9B0FB2600220336549DD08078DC88E8B8EA3074D5F188356506CF6131AA2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:41.004{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5D608BA2CB78BA4ECCCE10ED00FA25A,SHA256=FE2D8F495F462C57BF6D4CEA010476521520406A646DFFE693F2C51987A42AA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:42.723{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B37E9A64357637607CC8E3A14EF776A1,SHA256=2B8F4A40EA99E90CF323541051FBE3D148EB2473B62509986E1E65AAEE9FDA2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064847748Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:42.817{B81B27B7-1E7C-61BA-3000-00000000CD01}31843208C:\Windows\system32\conhost.exe{B81B27B7-5342-61BA-6107-00000000CD01}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847747Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:42.817{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847746Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:42.817{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847745Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:42.817{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847744Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:42.817{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847743Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:42.817{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847742Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:42.817{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847741Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:42.817{B81B27B7-1E79-61BA-0500-00000000CD01}412972C:\Windows\system32\csrss.exe{B81B27B7-5342-61BA-6107-00000000CD01}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064847740Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:42.817{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847739Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:42.817{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847738Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:42.817{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847737Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:42.817{B81B27B7-1E7B-61BA-2000-00000000CD01}11963772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-5342-61BA-6107-00000000CD01}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000064847736Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:42.818{B81B27B7-5342-61BA-6107-00000000CD01}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-1E79-61BA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000064847735Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:42.332{B81B27B7-5342-61BA-6007-00000000CD01}59402760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000064847734Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:42.264{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=443F871C625D1D5020681D9E0A5E79C5,SHA256=0EC0DEB33F5A88C6EE5884498BB219E11A6B317EFA4D341CCDB38C98E4B248D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:42.176{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7B7CA3552871CC7C6B428C2D37C5AB8,SHA256=8EB3BA882A51A529F84FCBE2A045125C6F9058F09450FAF001F8D641D784AACA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064847733Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:39.948{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52898-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000064847732Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:42.133{B81B27B7-1E7C-61BA-3000-00000000CD01}31843208C:\Windows\system32\conhost.exe{B81B27B7-5342-61BA-6007-00000000CD01}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847731Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:42.133{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847730Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:42.133{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847729Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:42.133{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847728Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:42.133{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847727Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:42.133{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847726Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:42.133{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847725Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:42.133{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847724Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:42.133{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847723Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:42.133{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847722Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:42.133{B81B27B7-1E79-61BA-0500-00000000CD01}412972C:\Windows\system32\csrss.exe{B81B27B7-5342-61BA-6007-00000000CD01}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064847721Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:42.133{B81B27B7-1E7B-61BA-2000-00000000CD01}11963772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-5342-61BA-6007-00000000CD01}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000064847720Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:42.134{B81B27B7-5342-61BA-6007-00000000CD01}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-1E79-61BA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000132719967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:43.738{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8AC92AF06B3D783C5D4ED2C98B4EF2D,SHA256=9BEC749D935B6D6C9C92E17F8F225638C44A2A74577ED47AFC84ADF6A1920228,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064847765Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:43.933{B81B27B7-5343-61BA-6207-00000000CD01}12242996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847764Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:43.748{B81B27B7-1E7C-61BA-3000-00000000CD01}31843208C:\Windows\system32\conhost.exe{B81B27B7-5343-61BA-6207-00000000CD01}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847763Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:43.748{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847762Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:43.748{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847761Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:43.748{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847760Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:43.748{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847759Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:43.748{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847758Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:43.748{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847757Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:43.748{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847756Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:43.748{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847755Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:43.748{B81B27B7-1E79-61BA-0500-00000000CD01}412972C:\Windows\system32\csrss.exe{B81B27B7-5343-61BA-6207-00000000CD01}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064847754Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:43.748{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847753Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:43.748{B81B27B7-1E7B-61BA-2000-00000000CD01}11963772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-5343-61BA-6207-00000000CD01}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000064847752Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:43.749{B81B27B7-5343-61BA-6207-00000000CD01}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-1E79-61BA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000064847751Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:43.280{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F00628ECEF715FB3189B056C678EFF3,SHA256=BD816A15B09A6EED04AB2B312204E9F8AD066878ED9F787D8EA43A9A834C112A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:43.395{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89AD838EBA85EE4E427F5753F34A9B70,SHA256=71E6426752497AECA092A214F0DA00C6643FFFF49C998C20201D47C13927B963,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847750Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:43.133{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BD20D0561C9401152007C8CFFAE478D,SHA256=40A3FFF6707D8157194A874351385A1815B5DA25B6E985CA0C4BBA75940A76A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847749Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:43.133{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C01F9880D62123FC92D8F1068F15198,SHA256=928A575089E95EFC2D948D647EDFE350A2C583D536A61E5FA6C930BD65EA314D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:44.754{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFC3BE0972F97376499E40B4C42F528B,SHA256=141EEEF0D6A9C28AD7E7208DA6E3E1372B974768646A672E8A7488EE7642AD48,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:44.754{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1A111FCC71D8297FB159978591AF12D,SHA256=07F1D4CE4DB45E54E46E8605C1F980421B9558B3C3EC52B8B49B7BE7BE7EE6CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847780Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:44.832{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BD20D0561C9401152007C8CFFAE478D,SHA256=40A3FFF6707D8157194A874351385A1815B5DA25B6E985CA0C4BBA75940A76A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064847779Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:44.433{B81B27B7-1E7C-61BA-3000-00000000CD01}31843208C:\Windows\system32\conhost.exe{B81B27B7-5344-61BA-6307-00000000CD01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847778Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:44.433{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847777Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:44.433{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847776Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:44.433{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847775Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:44.433{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847774Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:44.433{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847773Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:44.433{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847772Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:44.433{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847771Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:44.433{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847770Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:44.433{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847769Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:44.433{B81B27B7-1E79-61BA-0500-00000000CD01}412428C:\Windows\system32\csrss.exe{B81B27B7-5344-61BA-6307-00000000CD01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064847768Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:44.433{B81B27B7-1E7B-61BA-2000-00000000CD01}11963772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-5344-61BA-6307-00000000CD01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000064847767Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:44.434{B81B27B7-5344-61BA-6307-00000000CD01}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-1E79-61BA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000064847766Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:44.332{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9E6B39017515F376765F69E6861729A,SHA256=560844694AC5709726EB392021D5C544A1868F88367AF2A959A76F7E9F1E2674,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:45.910{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0098F323D3313FB8D2647DF98D322FC,SHA256=02FACA13ACFBDBF25865C6E7A8AB95F9CC38A511C7C7D65758ACC15111D4E4D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:45.769{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31B046BE0B81707C5F6391B84C357F3B,SHA256=81E8BE25C0FC5DC3B83D0F8D7ABB5B372F8A6C3CF3E61C2D7B1736097D56FD92,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847781Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:45.401{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E07347DA3972EF6ACAF559AA48D8C897,SHA256=15395D993C982E17A349CEB891D0BDA500428B3326A60B8B9B8A38B253A9F556,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132719970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:28.099{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60091-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132719973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:46.785{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5071DAA4A133C161273A03F0DA3FB2AE,SHA256=2E9A271840FAE884E8DB8FD5D9D46934045C4349C268C952387F541D6365D726,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064847806Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:46.779{B81B27B7-5346-61BA-6407-00000000CD01}43123312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000064847805Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:46.732{B81B27B7-1E79-61BA-0B00-00000000CD01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000064847804Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:46.732{B81B27B7-1E79-61BA-0B00-00000000CD01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00ce5152) 13241300x800000000000000064847803Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:46.732{B81B27B7-1E79-61BA-0B00-00000000CD01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7f1eb-0xef649519) 13241300x800000000000000064847802Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:46.732{B81B27B7-1E79-61BA-0B00-00000000CD01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7f1f4-0x5128fd19) 13241300x800000000000000064847801Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:46.732{B81B27B7-1E79-61BA-0B00-00000000CD01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7f1fc-0xb2ed6519) 13241300x800000000000000064847800Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:46.732{B81B27B7-1E79-61BA-0B00-00000000CD01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000064847799Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:46.732{B81B27B7-1E79-61BA-0B00-00000000CD01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00ce5152) 13241300x800000000000000064847798Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:46.732{B81B27B7-1E79-61BA-0B00-00000000CD01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7f1eb-0xef649519) 13241300x800000000000000064847797Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:46.732{B81B27B7-1E79-61BA-0B00-00000000CD01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7f1f4-0x5128fd19) 13241300x800000000000000064847796Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:46.732{B81B27B7-1E79-61BA-0B00-00000000CD01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7f1fc-0xb2ed6519) 23542300x800000000000000064847795Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:46.579{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2C6C171E8678C54E5982EBE26ED629D,SHA256=357D6ADF4AB3ACE452C36F1576DC856BFAC1B39057C2F321BC525210ECEF5F74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064847794Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:46.548{B81B27B7-1E7C-61BA-3000-00000000CD01}31843208C:\Windows\system32\conhost.exe{B81B27B7-5346-61BA-6407-00000000CD01}4312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847793Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:46.548{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847792Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:46.548{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847791Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:46.548{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847790Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:46.548{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847789Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:46.548{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847788Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:46.548{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847787Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:46.548{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847786Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:46.548{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847785Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:46.548{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847784Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:46.548{B81B27B7-1E79-61BA-0500-00000000CD01}412536C:\Windows\system32\csrss.exe{B81B27B7-5346-61BA-6407-00000000CD01}4312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064847783Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:46.548{B81B27B7-1E7B-61BA-2000-00000000CD01}11963772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-5346-61BA-6407-00000000CD01}4312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000064847782Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:46.548{B81B27B7-5346-61BA-6407-00000000CD01}4312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-1E79-61BA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000132719975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:47.801{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA5165EE10A22F3B5ABC4F66ED8AB64C,SHA256=1B85D906910C1D419B9E343A7CF2BDEEA002A484AE14998DD17A579845B5C601,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064847835Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:47.733{B81B27B7-1E7C-61BA-3000-00000000CD01}31843208C:\Windows\system32\conhost.exe{B81B27B7-5347-61BA-6607-00000000CD01}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847834Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:47.733{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847833Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:47.733{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847832Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:47.733{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847831Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:47.733{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847830Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:47.733{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847829Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:47.733{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847828Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:47.733{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847827Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:47.733{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847826Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:47.733{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847825Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:47.733{B81B27B7-1E79-61BA-0500-00000000CD01}412972C:\Windows\system32\csrss.exe{B81B27B7-5347-61BA-6607-00000000CD01}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064847824Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:47.733{B81B27B7-1E7B-61BA-2000-00000000CD01}11963772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-5347-61BA-6607-00000000CD01}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000064847823Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:47.736{B81B27B7-5347-61BA-6607-00000000CD01}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-1E79-61BA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000064847822Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:47.733{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2F9861D2785B25942230B259DD5099D,SHA256=E13C1FF9D9E431429158E5673EE999C0C1B50440204FEF082119DFFEFD2F06F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:47.098{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB5780265F800786EC85A9880FB46A33,SHA256=720F27B001DB8C0EEB844D4CE892C2339BD6D2485E7167CA4BDC3F654EB774A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847821Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:47.549{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A411074854A751744CE97BC88B1FF621,SHA256=43AC0F7A1ACDC37DE548447D0BF1E2D8F2401858CA1FB3964B14F412CADA6C86,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064847820Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:47.418{B81B27B7-5347-61BA-6507-00000000CD01}63326568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847819Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:47.217{B81B27B7-1E7C-61BA-3000-00000000CD01}31843208C:\Windows\system32\conhost.exe{B81B27B7-5347-61BA-6507-00000000CD01}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847818Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:47.217{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847817Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:47.217{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847816Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:47.217{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847815Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:47.217{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847814Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:47.217{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847813Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:47.217{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847812Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:47.217{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847811Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:47.217{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847810Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:47.217{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847809Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:47.217{B81B27B7-1E79-61BA-0500-00000000CD01}412536C:\Windows\system32\csrss.exe{B81B27B7-5347-61BA-6507-00000000CD01}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064847808Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:47.217{B81B27B7-1E7B-61BA-2000-00000000CD01}11963772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-5347-61BA-6507-00000000CD01}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000064847807Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:47.217{B81B27B7-5347-61BA-6507-00000000CD01}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-1E79-61BA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000064847838Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:48.763{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B7843C467C484318C248E0D43599BF,SHA256=DCE34C19FA01CC7D2EB1AAAE4A8561A5D2300CC35F58E8F1422FAFAA5A624471,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:48.816{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65AA852EA0A00F90AFC83A5786A04E21,SHA256=A908A6E21EE6898530379B295EE1A31110A0EAB63DEBADD28C24629505C1AF13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:48.191{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3007150D9DC931FC7F6A3DE415048C3,SHA256=9C9B2C1580FEEE5CB11D343E7D41EC96F070C900B221A9EC4935454964836F99,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847837Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:48.748{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C458A248EE577C1D730FA15732E5065,SHA256=E5C135C5A9773205DB5076E5A4E913E7C85FBC849EF9AEC821F5C46ADB548AF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064847836Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:45.976{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52899-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000064847839Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:49.796{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84630FDDC605CAE27D5B7EDD9E24224C,SHA256=BFEBF842EF0EF8D2342B6C35185B7C705108BCB919F1CA4D2DA7E12C4F386E43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:49.830{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=082E355E45F962F5B071BEAAF4A9EADD,SHA256=ACAD975715FD97D6CFC7EC71F8D1B2334C2344B088B597D8B16FCC6DED03F7F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:49.426{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E203380892386A0F8815D98962905FA,SHA256=0789C8A3ED1BD6803779961AAC59ABD04B0F654A4AEE230219ACC5C700FF9FFF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847840Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:50.814{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AA8C2EEBADB713B888A7446F7561FCF,SHA256=CD6C44CD9D36C4DB7E37A7A0ADF88342994B8F2C256F6F01BDA5A0B05077FDF2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:50.846{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5043F24CAB2678BF589D78354CE0E8A,SHA256=BB860DFD737A582B3F5590D48AEF894BFE7A0BECE48A3F421F4FEDFE803A960A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:50.502{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A64EE9D1D8D4A01809AC3740D969CC5D,SHA256=1922A1C6B900BE46289FFEA5D80FEA39C04F984DF6B7A7B5E6F485C763D643E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847841Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:51.929{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5506F8FEC1D8D1DA1B06A5EDE5F83F9F,SHA256=FD214BFF9329DA5231FF24F6C154DD0A26FBD8EF39AB49E8414C4AD6A65B8172,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:51.861{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AADBD2B0D54D88E4B0C1A4FDA9DA74E,SHA256=CC331D34DD7AC98D59D77B6784072D9724688716C78D58F7F710D6BE41CA4B44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:51.627{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84260A895C70FCDF87802ACF6CB891B8,SHA256=A43C5FC66D2CF70A93FA7188BDC9B89838D0C7FFE194215D1952EFA83363921E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132719982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:33.177{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60092-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000064847842Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:52.975{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46A7508D9D4B416B7885CFF8BA1ABB4F,SHA256=87CF662EBBE321F7889E9070D23FF6480EFF2751CEB071A7DB5D6E8A74FCC2A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:52.877{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C19C804EC62778992AEA55CD7E3CF0A,SHA256=0C175E74CF71FF33E09D99D82A3CFD36AF2DE6B133883DD7A741CD8F3946FF78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:52.815{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81FA6F553FB2859E177942C0240DD1A5,SHA256=81ABE5AE57A8EB8FC21CD5F9AC8BFA09FAC749830E312226651A1EAC1DEA5299,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:53.893{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=443166FE94A644A6F28B5B07B4B3C8E0,SHA256=438C62A33951768228BC63FB49653B9C772B3CC200FEFEF67F813AAD8D07222B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064847843Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:51.994{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52900-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000132719989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:53.815{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-851F-61B1-1500-00000000CE01}1232C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:53.815{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-851F-61B1-1500-00000000CE01}1232C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132719987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:53.815{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-851F-61B1-1500-00000000CE01}1232C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000132719992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:54.908{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8706E966611EC2186ABD2E2907A3957F,SHA256=8727791011CE229324AC886D3BD40F75DE791EEABC056FF2CA75EFE9BA9AB258,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847844Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:54.011{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A06323124DFC8390158A5E0DA366C0C,SHA256=0792861C81ED3CEDCDFB99BD019C9A8311A85BFDD344C6A16D265C35610C63D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:54.221{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D57968F1782F6811A6AFEB28005296A0,SHA256=E856E689893DCF81C362797F4D58DE303F3708783ED1D28834CAA198F57E803D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132719995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:55.924{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB08C7B5BE3A6DA3C17689DBFD3CAD17,SHA256=032C9DA5CB402DE95551C179B67A6EB92F904205C4A084A134C8B70F8E835CD5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132719994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:38.284{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60093-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132719993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:55.283{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E29BC2199D837CDD9D7819B6C09D48C9,SHA256=3DF3AAA63784F4CD06A51957A4935788714CAA79362D4AF3B2AE71D6312FBC70,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064847846Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:53.152{B81B27B7-1E7A-61BA-0F00-00000000CD01}924C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse72.43.121.35rrcs-72-43-121-35.nyc.biz.rr.com21876-false10.0.1.15win-host-987.attackrange.local3389ms-wbt-server 23542300x800000000000000064847845Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:55.057{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7AC8D4B840D5310C648F829B56852AB,SHA256=EAFBCE89CC1A5E450179DA0BAD6BD32D27630A08EF0B07A0506D7CACDDA91B33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:56.940{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77163B3A0637EA373A2328FF0D38BD7C,SHA256=1708C5C9B3D6392106FCB34157A12E4A296EB5A8B92F649EADFEAD6FCD49D67D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064847969Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.955{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6B07-00000000CD01}3328C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847968Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.940{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6B07-00000000CD01}3328C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847967Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.940{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6B07-00000000CD01}3328C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000064847966Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.889{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=DF7C5D6BCE7DA1BEB0D795AF228C98B2,SHA256=2CC8D84481E28B1FAB88F66DF963FD5E7A8AD53D4B570DB37AF77D4E2EE588C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847965Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.888{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=ED441B578AE980D867FD0D6AC7DC539A,SHA256=2D128AB60D07E09CECD3231F0429E0158E5A2301F4260AE75ED148DF6B7BD77D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064847964Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.871{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847963Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.871{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847962Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.871{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847961Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.871{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847960Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.871{B81B27B7-1E7A-61BA-1600-00000000CD01}11841764C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6B07-00000000CD01}3328C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847959Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.871{B81B27B7-1E7A-61BA-1600-00000000CD01}11841228C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6B07-00000000CD01}3328C:\Windows\system32\dwm.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000064847958Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.855{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69357269AB29DE1BB8227038D0E1EA7B,SHA256=E345714AC1A6EFA0CCCD2253FD6ED3B283D38FD4D2B5764B2BEBBDF5878A42A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064847957Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.824{B81B27B7-1E7A-61BA-0C00-00000000CD01}732756C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847956Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.824{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847955Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.824{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847954Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.824{B81B27B7-1E7A-61BA-0C00-00000000CD01}732756C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847953Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.824{B81B27B7-1E7A-61BA-0C00-00000000CD01}732756C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847952Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.824{B81B27B7-1E7A-61BA-0C00-00000000CD01}732756C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847951Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.808{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847950Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.808{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847949Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.808{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847948Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.808{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847947Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.808{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847946Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.808{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847945Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.808{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847944Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.808{B81B27B7-5350-61BA-6807-00000000CD01}64921108C:\Windows\system32\csrss.exe{B81B27B7-5350-61BA-6B07-00000000CD01}3328C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064847943Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.808{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000132719999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:39.438{3BF36828-851C-61B1-0B00-00000000CE01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal52902-false10.0.1.14win-dc-128.attackrange.local49672- 354300x8000000000000000132719998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:39.436{3BF36828-851E-61B1-0D00-00000000CE01}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal52901-false10.0.1.14win-dc-128.attackrange.local135epmap 354300x8000000000000000132719997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:39.331{3BF36828-851C-61B1-0B00-00000000CE01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local389-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal49315- 23542300x8000000000000000132719996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:56.330{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1353187C66B47C33E6ED59E9F49A3DF8,SHA256=CC6C0BE4ABB76F11330D0875FF84F7F8038ABDA8B305662446499FEE784128CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064847942Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.808{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847941Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.808{B81B27B7-5350-61BA-6907-00000000CD01}63885656C:\Windows\system32\winlogon.exe{B81B27B7-5350-61BA-6B07-00000000CD01}3328C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\dwminit.dll+2d11|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000064847940Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.809{B81B27B7-5350-61BA-6B07-00000000CD01}3328C:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exe"dwm.exe"C:\Windows\system32\Window Manager\DWM-3{B81B27B7-5350-61BA-62F5-560000000000}0x56f5623SystemMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408,IMPHASH=DDB7DE3741333EE031929A760FCD4542{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\System32\winlogon.exewinlogon.exe 10341000x800000000000000064847939Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.808{B81B27B7-1E79-61BA-0B00-00000000CD01}6362272C:\Windows\system32\lsass.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1b160|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847938Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.793{B81B27B7-1E79-61BA-0B00-00000000CD01}6362272C:\Windows\system32\lsass.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847937Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.793{B81B27B7-1E79-61BA-0B00-00000000CD01}6362272C:\Windows\system32\lsass.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847936Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.793{B81B27B7-5350-61BA-6A07-00000000CD01}42486904C:\Windows\system32\LogonUI.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\logoncontroller.dll+2eef5|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847935Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.771{B81B27B7-1E7A-61BA-1600-00000000CD01}11841764C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847934Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.771{B81B27B7-1E7A-61BA-1600-00000000CD01}11841228C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847933Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.771{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847932Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.771{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847931Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.755{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847930Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.755{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847929Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.755{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847928Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.755{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847927Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.755{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847926Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.755{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847925Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.755{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847924Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.755{B81B27B7-5350-61BA-6807-00000000CD01}64921108C:\Windows\system32\csrss.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064847923Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.755{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847922Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.755{B81B27B7-1E7A-61BA-0C00-00000000CD01}732756C:\Windows\system32\svchost.exe{B81B27B7-1E79-61BA-0B00-00000000CD01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847921Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.755{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847920Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.755{B81B27B7-5350-61BA-6907-00000000CD01}63884436C:\Windows\system32\winlogon.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+22617|C:\Windows\system32\winlogon.exe+2b287|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847919Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.755{B81B27B7-1E79-61BA-0B00-00000000CD01}6362272C:\Windows\system32\lsass.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847918Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.755{B81B27B7-1E79-61BA-0B00-00000000CD01}6362272C:\Windows\system32\lsass.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000064847917Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.762{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x2 /state0:0xa3a2d055 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-1E79-61BA-E703-000000000000}0x3e73SystemMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\System32\winlogon.exewinlogon.exe 10341000x800000000000000064847916Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.755{B81B27B7-1E79-61BA-0B00-00000000CD01}6362272C:\Windows\system32\lsass.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847915Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.755{B81B27B7-1E7A-61BA-0C00-00000000CD01}732756C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847914Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.755{B81B27B7-1E7A-61BA-0C00-00000000CD01}732756C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847913Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.755{B81B27B7-1E7A-61BA-1600-00000000CD01}11841764C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847912Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.740{B81B27B7-1E7A-61BA-1600-00000000CD01}11841764C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+3c53|c:\windows\system32\themeservice.dll+2675|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847911Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.740{B81B27B7-1E7A-61BA-1600-00000000CD01}11841228C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847910Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.740{B81B27B7-1E7A-61BA-1600-00000000CD01}11841764C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847909Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.740{B81B27B7-1E7A-61BA-1600-00000000CD01}11841228C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000064847908Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:55.172{B81B27B7-1E79-61BA-0B00-00000000CD01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52902-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49672- 354300x800000000000000064847907Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:55.170{B81B27B7-1E79-61BA-0B00-00000000CD01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52901-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal135epmap 10341000x800000000000000064847906Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.640{B81B27B7-5350-61BA-6807-00000000CD01}64926704C:\Windows\system32\csrss.exe{B81B27B7-1E7A-61BA-0F00-00000000CD01}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\winsrv.DLL+1ef0|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x800000000000000064847905Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.524{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EA92DCD9917AC063EC4D0E3E9B800E8,SHA256=91E02AFB82852F3DACC8E68D19D6033780DB5B8FC5DADA036F221C5674640A21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000064847904Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:56.440{B81B27B7-1E76-61BA-0100-00000000CD01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000002) 13241300x800000000000000064847903Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:56.440{B81B27B7-1E76-61BA-0100-00000000CD01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000002) 13241300x800000000000000064847902Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:56.440{B81B27B7-1E76-61BA-0100-00000000CD01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0 13241300x800000000000000064847901Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:56.440{B81B27B7-1E76-61BA-0100-00000000CD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000002) 13241300x800000000000000064847900Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:56.440{B81B27B7-1E76-61BA-0100-00000000CD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000002) 13241300x800000000000000064847899Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:56.440{B81B27B7-1E76-61BA-0100-00000000CD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0 13241300x800000000000000064847898Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:56.440{B81B27B7-1E76-61BA-0100-00000000CD01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000002) 13241300x800000000000000064847897Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:56.440{B81B27B7-1E76-61BA-0100-00000000CD01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000002) 13241300x800000000000000064847896Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:56.440{B81B27B7-1E76-61BA-0100-00000000CD01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0 13241300x800000000000000064847895Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:56.440{B81B27B7-1E76-61BA-0100-00000000CD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x800000000000000064847894Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:56.440{B81B27B7-1E76-61BA-0100-00000000CD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 13241300x800000000000000064847893Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:56.440{B81B27B7-1E76-61BA-0100-00000000CD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0 10341000x800000000000000064847892Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.440{B81B27B7-1E7A-61BA-0C00-00000000CD01}732756C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2387f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847891Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.440{B81B27B7-1E7A-61BA-0C00-00000000CD01}732756C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+2380c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847890Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.440{B81B27B7-1E7A-61BA-0C00-00000000CD01}732756C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+237c4|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847889Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.424{B81B27B7-1E7A-61BA-0C00-00000000CD01}732756C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847888Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.424{B81B27B7-1E7A-61BA-0C00-00000000CD01}732756C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847887Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.424{B81B27B7-1E7A-61BA-0C00-00000000CD01}732756C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847886Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.424{B81B27B7-1E7A-61BA-0C00-00000000CD01}732756C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847885Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.424{B81B27B7-1E7A-61BA-0C00-00000000CD01}732756C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847884Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.424{B81B27B7-1E7A-61BA-0C00-00000000CD01}732756C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847883Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.424{B81B27B7-1E7A-61BA-0C00-00000000CD01}732756C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847882Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.424{B81B27B7-1E7A-61BA-0C00-00000000CD01}732756C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847881Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.424{B81B27B7-1E7A-61BA-0C00-00000000CD01}732756C:\Windows\system32\svchost.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847880Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.424{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847879Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.424{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6807-00000000CD01}6492C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000064847878Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.424{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000064847877Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.424{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000064847876Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.424{B81B27B7-5350-61BA-6707-00000000CD01}31366912C:\Windows\System32\smss.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x800000000000000064847875Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.427{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEwinlogon.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-1E79-61BA-E703-000000000000}0x3e73SystemMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9,IMPHASH=3CF10D94C117DB4F6E9D523B93429D6D{B81B27B7-5350-61BA-6707-00000000CD01}3136C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000108 0000007c 10341000x800000000000000064847874Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.424{B81B27B7-1E76-61BA-0200-00000000CD01}3242176C:\Windows\System32\smss.exe{B81B27B7-5350-61BA-6807-00000000CD01}6492C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cc4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064847873Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.409{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6807-00000000CD01}6492C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000064847872Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.409{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66DBA54DA85CD8A811FE1BE948DC90C6,SHA256=D778EDD5105E40AF3725C87E56163CA1EB22E991C8F93EB2DC70B90F5D89D00C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064847871Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.409{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCDEA8A7C7DB8AE0DD27E3797406E2F9,SHA256=3368D1E948CDB42EC2DD35F9409D717BA0C809804B58F915A529E03A3CCF057E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064847870Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.393{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847869Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.393{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847868Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.393{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847867Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.393{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847866Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.393{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847865Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.393{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847864Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.393{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847863Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.393{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847862Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.393{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847861Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.393{B81B27B7-5350-61BA-6707-00000000CD01}31366912C:\Windows\System32\smss.exe{B81B27B7-5350-61BA-6807-00000000CD01}6492C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x800000000000000064847860Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.402{B81B27B7-5350-61BA-6807-00000000CD01}6492C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-1E79-61BA-E703-000000000000}0x3e73SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{B81B27B7-5350-61BA-6707-00000000CD01}3136C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000108 0000007c 10341000x800000000000000064847859Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.371{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847858Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.371{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847857Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.371{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847856Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.371{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847855Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.371{B81B27B7-1E76-61BA-0200-00000000CD01}3242176C:\Windows\System32\smss.exe{B81B27B7-5350-61BA-6707-00000000CD01}3136C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cc4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064847854Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.371{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847853Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.371{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847852Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.371{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847851Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.371{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847850Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.371{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847849Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.371{B81B27B7-1E76-61BA-0200-00000000CD01}324400C:\Windows\System32\smss.exe{B81B27B7-5350-61BA-6707-00000000CD01}3136C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+3c31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x800000000000000064847848Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.382{B81B27B7-5350-61BA-6707-00000000CD01}3136C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 00000108 0000007c C:\Windows\NT AUTHORITY\SYSTEM{B81B27B7-1E79-61BA-E703-000000000000}0x3e73SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{B81B27B7-1E76-61BA-0200-00000000CD01}324C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 23542300x800000000000000064847847Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:56.072{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5817E2C5A7BA9A519CC0D618D318D184,SHA256=25E483DD7B907064F76D6E23047CA8EC58E84C0DA4DCFCD2DCF1A2538C9DFC19,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064848151Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.940{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6B07-00000000CD01}3328C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848150Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.940{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6B07-00000000CD01}3328C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848149Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.924{B81B27B7-1E7A-61BA-0C00-00000000CD01}732756C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-0F00-00000000CD01}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000064848148Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.924{B81B27B7-1E7A-61BA-0C00-00000000CD01}732756C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-0F00-00000000CD01}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000064848147Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.924{B81B27B7-1E7A-61BA-0C00-00000000CD01}732756C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-0F00-00000000CD01}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000064848146Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.924{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2f9b|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848145Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.924{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2f4d|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848144Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.924{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+5718|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848143Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.924{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+56c4|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848142Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.908{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2300-00000000CD01}1748C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848141Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.908{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2300-00000000CD01}1748C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848140Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.908{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2300-00000000CD01}1748C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848139Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.908{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2300-00000000CD01}1748C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848138Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.908{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848137Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.908{B81B27B7-1E7A-61BA-0C00-00000000CD01}732756C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848136Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.908{B81B27B7-1E7A-61BA-0C00-00000000CD01}732756C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848135Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.908{B81B27B7-1E7A-61BA-0C00-00000000CD01}732756C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848134Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.908{B81B27B7-1E79-61BA-0B00-00000000CD01}6361868C:\Windows\system32\lsass.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848133Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.908{B81B27B7-1E79-61BA-0B00-00000000CD01}6361868C:\Windows\system32\lsass.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000132720002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:57.955{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E0FBF410D288C4745862C0EAB0CC0FC,SHA256=E65A0B109082FB945F0CE9159881541FD6CEA9F17045F35360A249156C879553,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064848132Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.908{B81B27B7-1E79-61BA-0B00-00000000CD01}6361868C:\Windows\system32\lsass.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848131Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.908{B81B27B7-1E79-61BA-0B00-00000000CD01}6361868C:\Windows\system32\lsass.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848130Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.908{B81B27B7-1E79-61BA-0B00-00000000CD01}6361868C:\Windows\system32\lsass.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848129Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.908{B81B27B7-1E79-61BA-0B00-00000000CD01}6361868C:\Windows\system32\lsass.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848128Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.893{B81B27B7-1E7A-61BA-0C00-00000000CD01}732756C:\Windows\system32\svchost.exe{B81B27B7-1E79-61BA-0B00-00000000CD01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848127Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.771{B81B27B7-1E79-61BA-0B00-00000000CD01}6361868C:\Windows\system32\lsass.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848126Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.771{B81B27B7-1E79-61BA-0B00-00000000CD01}6361868C:\Windows\system32\lsass.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848125Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.771{B81B27B7-1E7A-61BA-0C00-00000000CD01}732756C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848124Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.771{B81B27B7-1E7A-61BA-0C00-00000000CD01}732756C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848123Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.771{B81B27B7-1E79-61BA-0B00-00000000CD01}6361868C:\Windows\system32\lsass.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848122Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.771{B81B27B7-1E79-61BA-0B00-00000000CD01}6361868C:\Windows\system32\lsass.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848121Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.556{B81B27B7-1E7A-61BA-0C00-00000000CD01}732756C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848120Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.556{B81B27B7-1E7A-61BA-0C00-00000000CD01}732756C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848119Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.556{B81B27B7-1E7A-61BA-0C00-00000000CD01}732756C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000064848118Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.526{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A99664599BB004B8D30F5E4022B6161,SHA256=F450F666D55833A8D26E713481877F42355312F64A9B4F690D5BD3A84D429E78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064848117Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.509{B81B27B7-1E7A-61BA-0C00-00000000CD01}732756C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848116Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.509{B81B27B7-1E7A-61BA-0C00-00000000CD01}732756C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848115Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.509{B81B27B7-1E7A-61BA-0C00-00000000CD01}732756C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848114Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.509{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848113Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.509{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848112Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.509{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848111Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.509{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848110Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.493{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848109Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.493{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848108Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.493{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848107Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.493{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848106Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.493{B81B27B7-1E7A-61BA-0F00-00000000CD01}9246252C:\Windows\System32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1087|c:\windows\system32\termsrv.dll+6aa58|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848105Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.493{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848104Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.493{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848103Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.493{B81B27B7-1E79-61BA-0B00-00000000CD01}6361868C:\Windows\system32\lsass.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848102Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.493{B81B27B7-1E79-61BA-0B00-00000000CD01}6361868C:\Windows\system32\lsass.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848101Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.491{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848100Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.491{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848099Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.491{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848098Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.491{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848097Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.491{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848096Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.491{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-0F00-00000000CD01}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000064848095Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.490{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848094Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.490{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848093Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.489{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848092Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.489{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-0F00-00000000CD01}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000064848091Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.488{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848090Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.470{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848089Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.470{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848088Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.470{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848087Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.470{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848086Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.470{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848085Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.470{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-0F00-00000000CD01}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000064848084Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.470{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848083Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.470{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848082Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.470{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848081Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.470{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-0F00-00000000CD01}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000064848080Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.470{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000064848079Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.455{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1531649FC6991BD61339B98247CE04BC,SHA256=51C0A4BECC7BFC0AEE5BA19752BFB65212D533539B3A5E243D47F328AD733415,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848078Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.439{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66DBA54DA85CD8A811FE1BE948DC90C6,SHA256=D778EDD5105E40AF3725C87E56163CA1EB22E991C8F93EB2DC70B90F5D89D00C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848077Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.424{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87790A0C373895765D13627EE5ED61C6,SHA256=DD7E4A3CBEE6736BA3C72737B0D9D201380BC2863C9CC8F34E9C8046E5174975,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064848076Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.408{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848075Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.408{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848074Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.408{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848073Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.408{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-0F00-00000000CD01}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000064848072Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.408{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848071Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.408{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848070Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.408{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848069Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.408{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-0F00-00000000CD01}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000064848068Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.408{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848067Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.408{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848066Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.408{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848065Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.408{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848064Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.408{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848063Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.408{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848062Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.408{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-0F00-00000000CD01}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000064848061Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.408{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848060Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.408{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848059Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.392{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848058Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.392{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-0F00-00000000CD01}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000064848057Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.392{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848056Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.392{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848055Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.392{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848054Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.392{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848053Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.392{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848052Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.392{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848051Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.392{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-0F00-00000000CD01}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000064848050Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.392{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848049Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.392{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848048Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.392{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848047Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.392{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-0F00-00000000CD01}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000064848046Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.392{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848045Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.392{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848044Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.392{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848043Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.392{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848042Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.392{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848041Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.392{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848040Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.392{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-0F00-00000000CD01}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000064848039Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.392{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848038Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.392{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848037Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.392{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848036Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.392{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-0F00-00000000CD01}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000064848035Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.392{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848034Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.388{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848033Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.388{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848032Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.388{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848031Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.388{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848030Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.388{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848029Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.388{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-0F00-00000000CD01}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000064848028Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.387{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848027Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.387{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848026Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.386{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848025Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.371{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-0F00-00000000CD01}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000064848024Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.371{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848023Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.371{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848022Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.371{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848021Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.371{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848020Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.324{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1700-00000000CD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848019Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.324{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000064848018Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.324{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-0F00-00000000CD01}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x800000000000000064848017Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-ConnectPipe2021-12-15 20:42:57.324{B81B27B7-1E7A-61BA-0F00-00000000CD01}924\TSVCPIPE-9dd9f28d-4e26-4e42-abac-f9d135133220C:\Windows\System32\svchost.exe 10341000x800000000000000064848016Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.324{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848015Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.324{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848014Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.324{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848013Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.270{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848012Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.270{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848011Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.270{B81B27B7-1E79-61BA-0B00-00000000CD01}6361868C:\Windows\system32\lsass.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848010Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.270{B81B27B7-1E79-61BA-0B00-00000000CD01}6361868C:\Windows\system32\lsass.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848009Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.270{B81B27B7-1E7A-61BA-0F00-00000000CD01}9244592C:\Windows\System32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1087|c:\windows\system32\termsrv.dll+6aa58|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848008Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.270{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848007Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.270{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000064848006Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-ConnectPipe2021-12-15 20:42:57.239{B81B27B7-1E7A-61BA-0F00-00000000CD01}924\TSVCPIPE-9dd9f28d-4e26-4e42-abac-f9d135133220C:\Windows\System32\svchost.exe 10341000x800000000000000064848005Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.155{B81B27B7-1E7A-61BA-1100-00000000CD01}9641600C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848004Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.155{B81B27B7-1E7A-61BA-1100-00000000CD01}9641600C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848003Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.155{B81B27B7-1E7A-61BA-1100-00000000CD01}9641600C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848002Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.155{B81B27B7-1E7A-61BA-1100-00000000CD01}9641600C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000064848001Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-ConnectPipe2021-12-15 20:42:57.139{B81B27B7-1E7A-61BA-0F00-00000000CD01}924\TSVCPIPE-9dd9f28d-4e26-4e42-abac-f9d135133220C:\Windows\System32\svchost.exe 10341000x800000000000000064848000Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.139{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000064847999Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.139{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-0F00-00000000CD01}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x800000000000000064847998Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-ConnectPipe2021-12-15 20:42:57.139{B81B27B7-1E7A-61BA-0F00-00000000CD01}924\TSVCPIPE-9dd9f28d-4e26-4e42-abac-f9d135133220C:\Windows\System32\svchost.exe 17141700x800000000000000064847997Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-CreatePipe2021-12-15 20:42:57.139{B81B27B7-1E7A-61BA-0F00-00000000CD01}924\TSVCPIPE-9dd9f28d-4e26-4e42-abac-f9d135133220C:\Windows\System32\svchost.exe 10341000x800000000000000064847996Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.139{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847995Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.139{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847994Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.139{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1900-00000000CD01}1796C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847993Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.139{B81B27B7-1E7A-61BA-0F00-00000000CD01}9246252C:\Windows\System32\svchost.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1087|c:\windows\system32\termsrv.dll+6a73d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847992Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.139{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847991Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.139{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1400-00000000CD01}368C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847990Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.139{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1400-00000000CD01}368C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847989Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.139{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1400-00000000CD01}368C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847988Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.139{B81B27B7-1E7A-61BA-1600-00000000CD01}11841764C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847987Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.139{B81B27B7-1E7A-61BA-1600-00000000CD01}11841228C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847986Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.139{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847985Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.139{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847984Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.139{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847983Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.139{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847982Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.139{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325928C:\Windows\system32\svchost.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847981Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.139{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325928C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847980Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.139{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847979Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.139{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000132720001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:57.471{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34565712230F22765862F18CAC00F74E,SHA256=E41F170AC2B024DD4C057C96578DC2CA48541EABBF3409F8F2C47884CABE53F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064847978Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.124{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+396a|c:\windows\system32\SYSNTFY.dll+1fc3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49e78|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847977Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.124{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847976Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.124{B81B27B7-1E7A-61BA-1600-00000000CD01}11841764C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000064847975Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.108{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66E84EB51D2785D9FF5FBE734801386E,SHA256=211FF39BD2FD7B003749F8C3C4A0D7D731A2471B667D55AF6EDFEA59CCAD692B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064847974Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.087{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2300-00000000CD01}1748C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847973Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.087{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2300-00000000CD01}1748C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847972Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.071{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2300-00000000CD01}1748C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847971Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.071{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2300-00000000CD01}1748C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064847970Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.071{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848499Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.969{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325928C:\Windows\system32\svchost.exe{B81B27B7-5352-61BA-7007-00000000CD01}2060C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848498Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.969{B81B27B7-1E79-61BA-0500-00000000CD01}412536C:\Windows\system32\csrss.exe{B81B27B7-5352-61BA-7007-00000000CD01}2060C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064848497Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.969{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325928C:\Windows\system32\svchost.exe{B81B27B7-5352-61BA-7007-00000000CD01}2060C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848496Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.954{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1FB0-61BA-A200-00000000CD01}2036C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848495Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.954{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1FB0-61BA-A200-00000000CD01}2036C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848494Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.954{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325928C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1900-00000000CD01}1796C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848493Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.938{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848492Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.938{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848491Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.938{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848490Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.938{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848489Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.938{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848488Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.938{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000064848487Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.923{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D72B38EE800F5FB4B0F796515046B603,SHA256=D40B93A74E5B3A7252FF0BD900A412C074B0DDAA4F81208A932F552648C4104B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064848486Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.823{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2300-00000000CD01}1748C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848485Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.823{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2300-00000000CD01}1748C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848484Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.788{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1FB2-61BA-A500-00000000CD01}2848C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000064848483Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.021{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52903-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000064848482Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.738{B81B27B7-1FB3-61BA-AE00-00000000CD01}33566480C:\Windows\Explorer.EXE{B81B27B7-23DE-61BA-CB01-00000000CD01}6652C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848481Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.738{B81B27B7-1FB3-61BA-AE00-00000000CD01}33566480C:\Windows\Explorer.EXE{B81B27B7-23DE-61BA-CB01-00000000CD01}6652C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848480Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.738{B81B27B7-1FB3-61BA-AE00-00000000CD01}33566480C:\Windows\Explorer.EXE{B81B27B7-23DE-61BA-CB01-00000000CD01}6652C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848479Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.723{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2300-00000000CD01}1748C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848478Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.723{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2300-00000000CD01}1748C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000064848477Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.723{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B25FEE81F32AB744FC72406C69E7B42,SHA256=76BF26EEDF118551F3C8BB20665428D07F092818D3982431521C56B489FFC8AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064848476Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.707{B81B27B7-200E-61BA-DB00-00000000CD01}48326772C:\Program Files\Mozilla Firefox\firefox.exe{B81B27B7-200F-61BA-DC00-00000000CD01}4864C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+391f0|C:\Program Files\Mozilla Firefox\firefox.exe+390e6|C:\Program Files\Mozilla Firefox\firefox.exe+4a3d0|C:\Program Files\Mozilla Firefox\firefox.exe+4a0cc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848475Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.707{B81B27B7-200E-61BA-DB00-00000000CD01}48326772C:\Program Files\Mozilla Firefox\firefox.exe{B81B27B7-200F-61BA-DC00-00000000CD01}4864C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+391f0|C:\Program Files\Mozilla Firefox\firefox.exe+390e6|C:\Program Files\Mozilla Firefox\firefox.exe+4a3d0|C:\Program Files\Mozilla Firefox\firefox.exe+4a0cc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848474Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.707{B81B27B7-200E-61BA-DB00-00000000CD01}48326772C:\Program Files\Mozilla Firefox\firefox.exe{B81B27B7-200F-61BA-DC00-00000000CD01}4864C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+391f0|C:\Program Files\Mozilla Firefox\firefox.exe+390e6|C:\Program Files\Mozilla Firefox\firefox.exe+4a3d0|C:\Program Files\Mozilla Firefox\firefox.exe+4a0cc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848473Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.670{B81B27B7-200E-61BA-DB00-00000000CD01}48323932C:\Program Files\Mozilla Firefox\firefox.exe{B81B27B7-200F-61BA-DC00-00000000CD01}4864C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ae301|C:\Program Files\Mozilla Firefox\xul.dll+9421e4|C:\Program Files\Mozilla Firefox\xul.dll+967069|C:\Program Files\Mozilla Firefox\xul.dll+966f8a|C:\Program Files\Mozilla Firefox\xul.dll+966b99|C:\Program Files\Mozilla Firefox\xul.dll+962f6f|C:\Program Files\Mozilla Firefox\xul.dll+96327c|C:\Program Files\Mozilla Firefox\xul.dll+ac2fe1|C:\Program Files\Mozilla Firefox\xul.dll+2c9ed9|C:\Program Files\Mozilla Firefox\xul.dll+2c9de4|C:\Program Files\Mozilla Firefox\xul.dll+2c9be5|C:\Program Files\Mozilla Firefox\xul.dll+2c9a94|C:\Program Files\Mozilla Firefox\xul.dll+ae8aa3|C:\Program Files\Mozilla Firefox\xul.dll+aea261|C:\Program Files\Mozilla Firefox\xul.dll+ae879d|C:\Program Files\Mozilla Firefox\xul.dll+ae7b22|C:\Program Files\Mozilla Firefox\xul.dll+b0f846|C:\Program Files\Mozilla Firefox\xul.dll+1a0a9ca|C:\Program Files\Mozilla Firefox\xul.dll+b15f84|C:\Program Files\Mozilla Firefox\xul.dll+f62e45|C:\Program Files\Mozilla Firefox\xul.dll+eca867|C:\Program Files\Mozilla Firefox\xul.dll+ea9257 18141800x800000000000000064848472Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-ConnectPipe2021-12-15 20:42:58.670{B81B27B7-1E7A-61BA-0F00-00000000CD01}924\TSVCPIPE-9dd9f28d-4e26-4e42-abac-f9d135133220C:\Windows\System32\svchost.exe 10341000x800000000000000064848471Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.654{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1700-00000000CD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848470Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.654{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1FB2-61BA-A500-00000000CD01}2848C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848469Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.654{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1FB2-61BA-A500-00000000CD01}2848C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848468Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.654{B81B27B7-1E7A-61BA-0C00-00000000CD01}7324756C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000064848467Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.654{B81B27B7-1E7A-61BA-0C00-00000000CD01}7324756C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-0F00-00000000CD01}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x800000000000000064848466Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-ConnectPipe2021-12-15 20:42:58.654{B81B27B7-1E7A-61BA-0F00-00000000CD01}924\TSVCPIPE-9dd9f28d-4e26-4e42-abac-f9d135133220C:\Windows\System32\svchost.exe 10341000x800000000000000064848465Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.654{B81B27B7-1E7A-61BA-0C00-00000000CD01}7324756C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848464Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.654{B81B27B7-1E7A-61BA-0C00-00000000CD01}7324756C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848463Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.654{B81B27B7-1E7A-61BA-0C00-00000000CD01}7324756C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848462Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.654{B81B27B7-200E-61BA-DB00-00000000CD01}48326772C:\Program Files\Mozilla Firefox\firefox.exe{B81B27B7-200F-61BA-DC00-00000000CD01}4864C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+391f0|C:\Program Files\Mozilla Firefox\firefox.exe+390e6|C:\Program Files\Mozilla Firefox\firefox.exe+4a3d0|C:\Program Files\Mozilla Firefox\firefox.exe+4a0cc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848461Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.654{B81B27B7-200E-61BA-DB00-00000000CD01}48326772C:\Program Files\Mozilla Firefox\firefox.exe{B81B27B7-200F-61BA-DC00-00000000CD01}4864C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+391f0|C:\Program Files\Mozilla Firefox\firefox.exe+390e6|C:\Program Files\Mozilla Firefox\firefox.exe+4a3d0|C:\Program Files\Mozilla Firefox\firefox.exe+4a0cc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848460Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.654{B81B27B7-200E-61BA-DB00-00000000CD01}48326772C:\Program Files\Mozilla Firefox\firefox.exe{B81B27B7-200F-61BA-DC00-00000000CD01}4864C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+391f0|C:\Program Files\Mozilla Firefox\firefox.exe+390e6|C:\Program Files\Mozilla Firefox\firefox.exe+4a3d0|C:\Program Files\Mozilla Firefox\firefox.exe+4a0cc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848459Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5352-61BA-6C07-00000000CD01}1112C:\Windows\system32\TSTheme.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848458Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-23EB-61BA-CF01-00000000CD01}1068C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848457Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-23DE-61BA-CC01-00000000CD01}6224C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848456Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-23DE-61BA-CB01-00000000CD01}6652C:\Windows\system32\cmd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848455Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-23B2-61BA-C701-00000000CD01}304C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848454Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-2397-61BA-C201-00000000CD01}6616C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848453Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-235D-61BA-AF01-00000000CD01}6948C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848452Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-22EC-61BA-8301-00000000CD01}7052C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848451Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-22C8-61BA-7601-00000000CD01}6684C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848450Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-22C7-61BA-7501-00000000CD01}6268C:\Program Files\Internet Explorer\iexplore.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848449Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-2028-61BA-E800-00000000CD01}4428C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848448Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-2028-61BA-E700-00000000CD01}5768C:\Windows\system32\cmd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848447Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-2013-61BA-E100-00000000CD01}6004C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848446Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-2012-61BA-E000-00000000CD01}5496C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848445Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-2011-61BA-DF00-00000000CD01}5304C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848444Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-2010-61BA-DE00-00000000CD01}1048C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848443Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-2010-61BA-DD00-00000000CD01}2964C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848442Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-200F-61BA-DC00-00000000CD01}4864C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848441Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-200E-61BA-DB00-00000000CD01}4832C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848440Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1FB4-61BA-B200-00000000CD01}4404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848439Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1FB4-61BA-B000-00000000CD01}4280C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848438Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848437Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1FB2-61BA-A800-00000000CD01}3612C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848436Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1FB2-61BA-A500-00000000CD01}2848C:\Windows\System32\rdpclip.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848435Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1FB0-61BA-A200-00000000CD01}2036C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848434Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1FAF-61BA-A000-00000000CD01}4064C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848433Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1EF5-61BA-8100-00000000CD01}3000C:\Windows\System32\msdtc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848432Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E8D-61BA-7300-00000000CD01}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848431Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848430Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E85-61BA-6700-00000000CD01}3248C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848429Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E85-61BA-6600-00000000CD01}3800C:\Users\Public\splunkd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848428Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7C-61BA-3D00-00000000CD01}3492C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848427Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7C-61BA-3900-00000000CD01}3408C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848426Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7C-61BA-3000-00000000CD01}3184C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848425Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2C00-00000000CD01}2948C:\Windows\system32\wbem\unsecapp.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848424Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2400-00000000CD01}2092C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848423Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2300-00000000CD01}1748C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848422Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2200-00000000CD01}1664C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848421Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848420Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848419Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1F00-00000000CD01}2016C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848418Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1E00-00000000CD01}1976C:\Windows\system32\ocspsvc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848417Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1D00-00000000CD01}1968C:\Windows\system32\certsrv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848416Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1C00-00000000CD01}1960C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848415Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1A00-00000000CD01}1944C:\Windows\system32\inetsrv\inetinfo.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848414Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1900-00000000CD01}1796C:\Windows\System32\spoolsv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848413Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1800-00000000CD01}1544C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848412Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1700-00000000CD01}1296C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848411Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848410Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1500-00000000CD01}1148C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848409Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1400-00000000CD01}368C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848408Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1300-00000000CD01}504C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848407Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848406Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1100-00000000CD01}964C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848405Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1000-00000000CD01}956C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848404Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-0F00-00000000CD01}924C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848403Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-0E00-00000000CD01}884C:\Windows\system32\LogonUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848402Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-0D00-00000000CD01}792C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848401Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E79-61BA-0B00-00000000CD01}636C:\Windows\system32\lsass.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848400Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E79-61BA-0900-00000000CD01}576C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848399Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5352-61BA-6C07-00000000CD01}1112C:\Windows\system32\TSTheme.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848398Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-23EB-61BA-CF01-00000000CD01}1068C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848397Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-23DE-61BA-CC01-00000000CD01}6224C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848396Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-23DE-61BA-CB01-00000000CD01}6652C:\Windows\system32\cmd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848395Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-23B2-61BA-C701-00000000CD01}304C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848394Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-2397-61BA-C201-00000000CD01}6616C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848393Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-235D-61BA-AF01-00000000CD01}6948C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848392Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-22EC-61BA-8301-00000000CD01}7052C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848391Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-22C8-61BA-7601-00000000CD01}6684C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848390Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-22C7-61BA-7501-00000000CD01}6268C:\Program Files\Internet Explorer\iexplore.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848389Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-2028-61BA-E800-00000000CD01}4428C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848388Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-2028-61BA-E700-00000000CD01}5768C:\Windows\system32\cmd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848387Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-2013-61BA-E100-00000000CD01}6004C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848386Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-2012-61BA-E000-00000000CD01}5496C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848385Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-2011-61BA-DF00-00000000CD01}5304C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848384Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-2010-61BA-DE00-00000000CD01}1048C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848383Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-2010-61BA-DD00-00000000CD01}2964C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848382Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-200F-61BA-DC00-00000000CD01}4864C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848381Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-200E-61BA-DB00-00000000CD01}4832C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848380Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1FB4-61BA-B200-00000000CD01}4404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848379Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1FB4-61BA-B000-00000000CD01}4280C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848378Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848377Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1FB2-61BA-A800-00000000CD01}3612C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848376Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1FB2-61BA-A500-00000000CD01}2848C:\Windows\System32\rdpclip.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848375Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1FB0-61BA-A200-00000000CD01}2036C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848374Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1FAF-61BA-A000-00000000CD01}4064C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848373Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1EF5-61BA-8100-00000000CD01}3000C:\Windows\System32\msdtc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848372Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E8D-61BA-7300-00000000CD01}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848371Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848370Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E85-61BA-6700-00000000CD01}3248C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848369Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E85-61BA-6600-00000000CD01}3800C:\Users\Public\splunkd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848368Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7C-61BA-3D00-00000000CD01}3492C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848367Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7C-61BA-3900-00000000CD01}3408C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848366Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7C-61BA-3000-00000000CD01}3184C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848365Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2C00-00000000CD01}2948C:\Windows\system32\wbem\unsecapp.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848364Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2400-00000000CD01}2092C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848363Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2300-00000000CD01}1748C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848362Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2200-00000000CD01}1664C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848361Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848360Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848359Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1F00-00000000CD01}2016C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848358Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1E00-00000000CD01}1976C:\Windows\system32\ocspsvc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848357Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1D00-00000000CD01}1968C:\Windows\system32\certsrv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848356Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1C00-00000000CD01}1960C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848355Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1A00-00000000CD01}1944C:\Windows\system32\inetsrv\inetinfo.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848354Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1900-00000000CD01}1796C:\Windows\System32\spoolsv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848353Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1800-00000000CD01}1544C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848352Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1700-00000000CD01}1296C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848351Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848350Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1500-00000000CD01}1148C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848349Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1400-00000000CD01}368C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848348Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1300-00000000CD01}504C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848347Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848346Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1100-00000000CD01}964C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848345Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1000-00000000CD01}956C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848344Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-0F00-00000000CD01}924C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848343Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-0E00-00000000CD01}884C:\Windows\system32\LogonUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848342Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-0D00-00000000CD01}792C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848341Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E79-61BA-0B00-00000000CD01}636C:\Windows\system32\lsass.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848340Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.623{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E79-61BA-0900-00000000CD01}576C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848339Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.607{B81B27B7-200E-61BA-DB00-00000000CD01}48323932C:\Program Files\Mozilla Firefox\firefox.exe{B81B27B7-200F-61BA-DC00-00000000CD01}4864C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ae301|C:\Program Files\Mozilla Firefox\xul.dll+e5922e|C:\Program Files\Mozilla Firefox\xul.dll+b3f3bd|C:\Program Files\Mozilla Firefox\xul.dll+27e215|C:\Program Files\Mozilla Firefox\xul.dll+27dfea|C:\Program Files\Mozilla Firefox\xul.dll+e7254f|C:\Program Files\Mozilla Firefox\xul.dll+1ac2b03|C:\Program Files\Mozilla Firefox\xul.dll+1ac3f7d|C:\Program Files\Mozilla Firefox\xul.dll+1ac3f7d|C:\Program Files\Mozilla Firefox\xul.dll+1ac3f7d|C:\Program Files\Mozilla Firefox\xul.dll+1ac5fcd|C:\Program Files\Mozilla Firefox\xul.dll+1736b7a|C:\Program Files\Mozilla Firefox\xul.dll+1ab5ff3|C:\Program Files\Mozilla Firefox\xul.dll+e9e76b|C:\Program Files\Mozilla Firefox\xul.dll+196c780|C:\Program Files\Mozilla Firefox\xul.dll+196b1c3|C:\Program Files\Mozilla Firefox\xul.dll+1625fc5|C:\Program Files\Mozilla Firefox\xul.dll+19945a3|C:\Program Files\Mozilla Firefox\xul.dll+944a1f|C:\Program Files\Mozilla Firefox\xul.dll+254be|C:\Program Files\Mozilla Firefox\xul.dll+196238|C:\Program Files\Mozilla Firefox\xul.dll+19513f 10341000x800000000000000064848338Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.607{B81B27B7-200E-61BA-DB00-00000000CD01}48323932C:\Program Files\Mozilla Firefox\firefox.exe{B81B27B7-200F-61BA-DC00-00000000CD01}4864C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ae301|C:\Program Files\Mozilla Firefox\xul.dll+e59207|C:\Program Files\Mozilla Firefox\xul.dll+b3f3bd|C:\Program Files\Mozilla Firefox\xul.dll+27e215|C:\Program Files\Mozilla Firefox\xul.dll+27dfea|C:\Program Files\Mozilla Firefox\xul.dll+e7254f|C:\Program Files\Mozilla Firefox\xul.dll+1ac2b03|C:\Program Files\Mozilla Firefox\xul.dll+1ac3f7d|C:\Program Files\Mozilla Firefox\xul.dll+1ac3f7d|C:\Program Files\Mozilla Firefox\xul.dll+1ac3f7d|C:\Program Files\Mozilla Firefox\xul.dll+1ac5fcd|C:\Program Files\Mozilla Firefox\xul.dll+1736b7a|C:\Program Files\Mozilla Firefox\xul.dll+1ab5ff3|C:\Program Files\Mozilla Firefox\xul.dll+e9e76b|C:\Program Files\Mozilla Firefox\xul.dll+196c780|C:\Program Files\Mozilla Firefox\xul.dll+196b1c3|C:\Program Files\Mozilla Firefox\xul.dll+1625fc5|C:\Program Files\Mozilla Firefox\xul.dll+19945a3|C:\Program Files\Mozilla Firefox\xul.dll+944a1f|C:\Program Files\Mozilla Firefox\xul.dll+254be|C:\Program Files\Mozilla Firefox\xul.dll+196238|C:\Program Files\Mozilla Firefox\xul.dll+19513f 10341000x800000000000000064848337Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.607{B81B27B7-200E-61BA-DB00-00000000CD01}48323932C:\Program Files\Mozilla Firefox\firefox.exe{B81B27B7-200F-61BA-DC00-00000000CD01}4864C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ae301|C:\Program Files\Mozilla Firefox\xul.dll+e591dc|C:\Program Files\Mozilla Firefox\xul.dll+b3f3bd|C:\Program Files\Mozilla Firefox\xul.dll+27e215|C:\Program Files\Mozilla Firefox\xul.dll+27dfea|C:\Program Files\Mozilla Firefox\xul.dll+e7254f|C:\Program Files\Mozilla Firefox\xul.dll+1ac2b03|C:\Program Files\Mozilla Firefox\xul.dll+1ac3f7d|C:\Program Files\Mozilla Firefox\xul.dll+1ac3f7d|C:\Program Files\Mozilla Firefox\xul.dll+1ac3f7d|C:\Program Files\Mozilla Firefox\xul.dll+1ac5fcd|C:\Program Files\Mozilla Firefox\xul.dll+1736b7a|C:\Program Files\Mozilla Firefox\xul.dll+1ab5ff3|C:\Program Files\Mozilla Firefox\xul.dll+e9e76b|C:\Program Files\Mozilla Firefox\xul.dll+196c780|C:\Program Files\Mozilla Firefox\xul.dll+196b1c3|C:\Program Files\Mozilla Firefox\xul.dll+1625fc5|C:\Program Files\Mozilla Firefox\xul.dll+19945a3|C:\Program Files\Mozilla Firefox\xul.dll+944a1f|C:\Program Files\Mozilla Firefox\xul.dll+254be|C:\Program Files\Mozilla Firefox\xul.dll+196238|C:\Program Files\Mozilla Firefox\xul.dll+19513f 10341000x800000000000000064848336Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.607{B81B27B7-1E7A-61BA-1600-00000000CD01}11841768C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+2870|c:\windows\system32\themeservice.dll+26d8|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848335Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.607{B81B27B7-200E-61BA-DB00-00000000CD01}48323932C:\Program Files\Mozilla Firefox\firefox.exe{B81B27B7-200F-61BA-DC00-00000000CD01}4864C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ae301|C:\Program Files\Mozilla Firefox\xul.dll+e5922e|C:\Program Files\Mozilla Firefox\xul.dll+b3f3bd|C:\Program Files\Mozilla Firefox\xul.dll+27e215|C:\Program Files\Mozilla Firefox\xul.dll+27dfea|C:\Program Files\Mozilla Firefox\xul.dll+e7254f|C:\Program Files\Mozilla Firefox\xul.dll+1ac2b03|C:\Program Files\Mozilla Firefox\xul.dll+1ac3f7d|C:\Program Files\Mozilla Firefox\xul.dll+1ac3f7d|C:\Program Files\Mozilla Firefox\xul.dll+1ac3f7d|C:\Program Files\Mozilla Firefox\xul.dll+1ac5fcd|C:\Program Files\Mozilla Firefox\xul.dll+1736b7a|C:\Program Files\Mozilla Firefox\xul.dll+1ab5ff3|C:\Program Files\Mozilla Firefox\xul.dll+e9e76b|C:\Program Files\Mozilla Firefox\xul.dll+196c780|C:\Program Files\Mozilla Firefox\xul.dll+196b1c3|C:\Program Files\Mozilla Firefox\xul.dll+1625fc5|C:\Program Files\Mozilla Firefox\xul.dll+19945a3|C:\Program Files\Mozilla Firefox\xul.dll+944a1f|C:\Program Files\Mozilla Firefox\xul.dll+254be|C:\Program Files\Mozilla Firefox\xul.dll+196238|C:\Program Files\Mozilla Firefox\xul.dll+19513f 10341000x800000000000000064848334Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.607{B81B27B7-200E-61BA-DB00-00000000CD01}48323932C:\Program Files\Mozilla Firefox\firefox.exe{B81B27B7-200F-61BA-DC00-00000000CD01}4864C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ae301|C:\Program Files\Mozilla Firefox\xul.dll+e59207|C:\Program Files\Mozilla Firefox\xul.dll+b3f3bd|C:\Program Files\Mozilla Firefox\xul.dll+27e215|C:\Program Files\Mozilla Firefox\xul.dll+27dfea|C:\Program Files\Mozilla Firefox\xul.dll+e7254f|C:\Program Files\Mozilla Firefox\xul.dll+1ac2b03|C:\Program Files\Mozilla Firefox\xul.dll+1ac3f7d|C:\Program Files\Mozilla Firefox\xul.dll+1ac3f7d|C:\Program Files\Mozilla Firefox\xul.dll+1ac3f7d|C:\Program Files\Mozilla Firefox\xul.dll+1ac5fcd|C:\Program Files\Mozilla Firefox\xul.dll+1736b7a|C:\Program Files\Mozilla Firefox\xul.dll+1ab5ff3|C:\Program Files\Mozilla Firefox\xul.dll+e9e76b|C:\Program Files\Mozilla Firefox\xul.dll+196c780|C:\Program Files\Mozilla Firefox\xul.dll+196b1c3|C:\Program Files\Mozilla Firefox\xul.dll+1625fc5|C:\Program Files\Mozilla Firefox\xul.dll+19945a3|C:\Program Files\Mozilla Firefox\xul.dll+944a1f|C:\Program Files\Mozilla Firefox\xul.dll+254be|C:\Program Files\Mozilla Firefox\xul.dll+196238|C:\Program Files\Mozilla Firefox\xul.dll+19513f 10341000x800000000000000064848333Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.607{B81B27B7-200E-61BA-DB00-00000000CD01}48323932C:\Program Files\Mozilla Firefox\firefox.exe{B81B27B7-200F-61BA-DC00-00000000CD01}4864C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ae301|C:\Program Files\Mozilla Firefox\xul.dll+e591dc|C:\Program Files\Mozilla Firefox\xul.dll+b3f3bd|C:\Program Files\Mozilla Firefox\xul.dll+27e215|C:\Program Files\Mozilla Firefox\xul.dll+27dfea|C:\Program Files\Mozilla Firefox\xul.dll+e7254f|C:\Program Files\Mozilla Firefox\xul.dll+1ac2b03|C:\Program Files\Mozilla Firefox\xul.dll+1ac3f7d|C:\Program Files\Mozilla Firefox\xul.dll+1ac3f7d|C:\Program Files\Mozilla Firefox\xul.dll+1ac3f7d|C:\Program Files\Mozilla Firefox\xul.dll+1ac5fcd|C:\Program Files\Mozilla Firefox\xul.dll+1736b7a|C:\Program Files\Mozilla Firefox\xul.dll+1ab5ff3|C:\Program Files\Mozilla Firefox\xul.dll+e9e76b|C:\Program Files\Mozilla Firefox\xul.dll+196c780|C:\Program Files\Mozilla Firefox\xul.dll+196b1c3|C:\Program Files\Mozilla Firefox\xul.dll+1625fc5|C:\Program Files\Mozilla Firefox\xul.dll+19945a3|C:\Program Files\Mozilla Firefox\xul.dll+944a1f|C:\Program Files\Mozilla Firefox\xul.dll+254be|C:\Program Files\Mozilla Firefox\xul.dll+196238|C:\Program Files\Mozilla Firefox\xul.dll+19513f 23542300x800000000000000064848332Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.592{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator.ATTACKRANGE\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpgMD5=415906C8B3322DDB6035632BCDB4741F,SHA256=FD344824B6CA1C11E861E38A45E5C385DB9B43D610B58CCFC6E1E40B2247ED0E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848331Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.589{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A41FCA1648507C5CADD22FE0FA05BA4,SHA256=A200B439C56B39D6E15588B73143C7A9ADC92117C4254E24C4171A58929AE1A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848330Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.587{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=9FA9E5D604C0D66360C53049F206DE7F,SHA256=9F32D38D843EF6E563B74CD9D3B80DDE9B8E0417719AEE17EA9FE5A3A5096FB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848329Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.586{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=64D43679660D97FC94DC4A09E1446230,SHA256=AFFA2C74E08523B2A135BFB54FD9213C5D30F302C4B83C8B857E469457DDC1F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064848328Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.570{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1FAF-61BA-A000-00000000CD01}4064C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848327Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.570{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1FAF-61BA-A000-00000000CD01}4064C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848326Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.554{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848325Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.554{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848324Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.554{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848323Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.554{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848322Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.554{B81B27B7-1FAF-61BA-9F00-00000000CD01}9886096C:\Windows\system32\csrss.exe{B81B27B7-5352-61BA-6E07-00000000CD01}4212C:\Windows\system32\atbroker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064848321Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.554{B81B27B7-1FAF-61BA-A000-00000000CD01}40644000C:\Windows\system32\winlogon.exe{B81B27B7-5352-61BA-6E07-00000000CD01}4212C:\Windows\system32\atbroker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+15b13|C:\Windows\system32\winlogon.exe+3b284|C:\Windows\system32\winlogon.exe+38b7a|C:\Windows\system32\winlogon.exe+44b92|C:\Windows\system32\winlogon.exe+b12f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000064848320Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.566{B81B27B7-5352-61BA-6E07-00000000CD01}4212C:\Windows\System32\AtBroker.exe10.0.14393.0 (rs1_release.160715-1616)Windows Assistive Technology ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationATBroker.exeatbroker.exeC:\Windows\system32\ATTACKRANGE\Administrator{B81B27B7-1FB1-61BA-A4CD-080000000000}0x8cda42HighMD5=8507D8A98EFA12F285A504DAEF14A0A5,SHA256=A84417EE9D039891AF43B267896DB921A40838D8A17CC1BE29785D031E5944D4,IMPHASH=9E9F046950193A8BA7AB446E4274C9D6{B81B27B7-1FAF-61BA-A000-00000000CD01}4064C:\Windows\System32\winlogon.exewinlogon.exe 18141800x800000000000000064848319Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-ConnectPipe2021-12-15 20:42:58.554{B81B27B7-1E7A-61BA-0F00-00000000CD01}924\TSVCPIPE-9dd9f28d-4e26-4e42-abac-f9d135133220C:\Windows\System32\svchost.exe 18141800x800000000000000064848318Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-ConnectPipe2021-12-15 20:42:58.554{B81B27B7-1E7A-61BA-0F00-00000000CD01}924\TSVCPIPE-9dd9f28d-4e26-4e42-abac-f9d135133220C:\Windows\System32\svchost.exe 10341000x800000000000000064848317Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.554{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848316Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.508{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1FB2-61BA-A500-00000000CD01}2848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000064848315Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.508{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-0F00-00000000CD01}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x800000000000000064848314Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-ConnectPipe2021-12-15 20:42:58.508{B81B27B7-1E7A-61BA-0F00-00000000CD01}924\TSVCPIPE-9dd9f28d-4e26-4e42-abac-f9d135133220C:\Windows\System32\svchost.exe 10341000x800000000000000064848313Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.508{B81B27B7-1FB3-61BA-AE00-00000000CD01}33564192C:\Windows\Explorer.EXE{B81B27B7-1FB4-61BA-B000-00000000CD01}4280C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000064848312Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.508{B81B27B7-1FB3-61BA-AE00-00000000CD01}33564192C:\Windows\Explorer.EXE{B81B27B7-1FB4-61BA-B000-00000000CD01}4280C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000064848311Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.492{B81B27B7-1E7A-61BA-0C00-00000000CD01}732756C:\Windows\system32\svchost.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848310Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.492{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2b2a|c:\windows\system32\SYSNTFY.dll+15cd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49e78|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848309Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.492{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848308Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.492{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848307Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.489{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848306Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.489{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848305Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.488{B81B27B7-1E7A-61BA-0C00-00000000CD01}7324756C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000132720004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:58.971{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58EDD7F7536EE29A4EF4C2E9CE18001B,SHA256=03A24A67B46B4894630B594A1C74EB596B6A089BFD212EF71DD066127F469654,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064848304Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.488{B81B27B7-1E7A-61BA-0C00-00000000CD01}7324756C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848303Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.487{B81B27B7-1E7A-61BA-0C00-00000000CD01}7324756C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848302Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.487{B81B27B7-1E7A-61BA-0C00-00000000CD01}7324756C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848301Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.487{B81B27B7-1E7A-61BA-0C00-00000000CD01}7324756C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848300Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.487{B81B27B7-1E7A-61BA-0C00-00000000CD01}7324756C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848299Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.470{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-200E-61BA-DB00-00000000CD01}4832C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848298Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.470{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000064848297Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-ConnectPipe2021-12-15 20:42:58.470{B81B27B7-1E7A-61BA-0F00-00000000CD01}924\TSVCPIPE-9dd9f28d-4e26-4e42-abac-f9d135133220C:\Windows\System32\svchost.exe 18141800x800000000000000064848296Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-ConnectPipe2021-12-15 20:42:58.470{B81B27B7-1E7A-61BA-0F00-00000000CD01}924\TSVCPIPE-9dd9f28d-4e26-4e42-abac-f9d135133220C:\Windows\System32\svchost.exe 10341000x800000000000000064848295Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.470{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1FB2-61BA-A500-00000000CD01}2848C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848294Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.470{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-1FB2-61BA-A500-00000000CD01}2848C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848293Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.470{B81B27B7-1FAF-61BA-9F00-00000000CD01}9886100C:\Windows\system32\csrss.exe{B81B27B7-5352-61BA-6D07-00000000CD01}3028C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064848292Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.470{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848291Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.470{B81B27B7-1E7A-61BA-0C00-00000000CD01}7324756C:\Windows\system32\svchost.exe{B81B27B7-1FB2-61BA-A500-00000000CD01}2848C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848290Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.470{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2de4|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848289Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.470{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2dce|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848288Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.470{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325904C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6907-00000000CD01}6388C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+57a4|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848287Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.470{B81B27B7-1E7A-61BA-0C00-00000000CD01}7324756C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848286Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.470{B81B27B7-1E7A-61BA-0C00-00000000CD01}7324756C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848285Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.470{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848284Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.470{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322676C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848283Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.470{B81B27B7-1E7A-61BA-0C00-00000000CD01}7324996C:\Windows\system32\svchost.exe{B81B27B7-1FB2-61BA-A500-00000000CD01}2848C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848282Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.470{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848281Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.470{B81B27B7-1E7A-61BA-0C00-00000000CD01}7324996C:\Windows\system32\svchost.exe{B81B27B7-1FB2-61BA-A500-00000000CD01}2848C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848280Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.470{B81B27B7-1E7A-61BA-0C00-00000000CD01}7324996C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848279Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.470{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322676C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848278Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.470{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322676C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000064848277Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-ConnectPipe2021-12-15 20:42:58.470{B81B27B7-1E7A-61BA-0F00-00000000CD01}924\TSVCPIPE-9dd9f28d-4e26-4e42-abac-f9d135133220C:\Windows\System32\svchost.exe 10341000x800000000000000064848276Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.470{B81B27B7-1E79-61BA-0500-00000000CD01}412972C:\Windows\system32\csrss.exe{B81B27B7-5352-61BA-6D07-00000000CD01}3028C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064848275Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.470{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000064848274Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.470{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-0F00-00000000CD01}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000064848273Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.470{B81B27B7-1E7A-61BA-0F00-00000000CD01}9246180C:\Windows\System32\svchost.exe{B81B27B7-5352-61BA-6D07-00000000CD01}3028C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\termsrv.dll+47f71|c:\windows\system32\termsrv.dll+549f2|c:\windows\system32\termsrv.dll+22ee6|c:\windows\system32\termsrv.dll+22763|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 154100x800000000000000064848272Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.465{B81B27B7-5352-61BA-6D07-00000000CD01}3028C:\Windows\System32\rdpclip.exe10.0.14393.3503 (rs1_release.200131-0410)RDP Clipboard MonitorMicrosoft® Windows® Operating SystemMicrosoft Corporationrdpclip.exerdpclipC:\Windows\system32\ATTACKRANGE\Administrator{B81B27B7-1FB1-61BA-A4CD-080000000000}0x8cda42HighMD5=D887E718FB0F4C99B9F01C5BD59F8B90,SHA256=ACFA1128B4EDD953F6364FA6216337A59C0522A01349263A11259A827838A56F,IMPHASH=5A464814303942D42A66B561CF697F26{B81B27B7-1E7A-61BA-0F00-00000000CD01}924C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k termsvcs 18141800x800000000000000064848271Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-ConnectPipe2021-12-15 20:42:58.470{B81B27B7-1E7A-61BA-0F00-00000000CD01}924\TSVCPIPE-9dd9f28d-4e26-4e42-abac-f9d135133220C:\Windows\System32\svchost.exe 17141700x800000000000000064848270Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-CreatePipe2021-12-15 20:42:58.470{B81B27B7-1E7A-61BA-0F00-00000000CD01}924\TSVCPIPE-9dd9f28d-4e26-4e42-abac-f9d135133220C:\Windows\System32\svchost.exe 10341000x800000000000000064848269Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.470{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322676C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848268Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.470{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848267Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.470{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322676C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848266Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.470{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848265Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.470{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322676C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848264Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.470{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322676C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848263Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.470{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322676C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848262Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.470{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322676C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848261Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.454{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322676C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848260Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.454{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322676C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848259Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.454{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322676C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848258Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.454{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322676C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848257Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.454{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848256Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.454{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322676C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848255Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.454{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848254Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.454{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325928C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1900-00000000CD01}1796C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848253Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.454{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848252Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.454{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848251Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.454{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848250Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.454{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325928C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1900-00000000CD01}1796C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848249Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.454{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848248Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.454{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848247Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.454{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322676C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848246Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.454{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848245Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.454{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325928C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848244Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.454{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848243Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.454{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325928C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848242Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.454{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848241Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.454{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325928C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848240Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.454{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322676C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848239Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.454{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848238Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.454{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325928C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848237Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.454{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322676C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848236Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.454{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322676C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23e0b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848235Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.454{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325928C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1400-00000000CD01}368C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848234Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.454{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322676C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848233Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.454{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322676C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1400-00000000CD01}368C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848232Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.454{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322676C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1400-00000000CD01}368C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848231Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.454{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322676C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848230Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.454{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322676C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848229Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.454{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322676C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848228Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.454{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322676C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848227Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.454{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322676C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848226Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.454{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325928C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-0F00-00000000CD01}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000064848225Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.454{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322676C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848224Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.454{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-0F00-00000000CD01}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000064848223Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.454{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-0F00-00000000CD01}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 23542300x800000000000000064848222Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.387{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=452A16736A7F01D4C98105EC7DB3958E,SHA256=3ECAB9FBA88BFDBCD95803F4A1A5DF50DBC6C62C3C35B5822705C5250AA9231A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064848221Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.370{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1FB2-61BA-A500-00000000CD01}2848C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848220Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.370{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1FB2-61BA-A500-00000000CD01}2848C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848219Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.292{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1FB0-61BA-A200-00000000CD01}2036C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848218Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.292{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1FB0-61BA-A200-00000000CD01}2036C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848217Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.292{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1FB0-61BA-A200-00000000CD01}2036C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848216Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.292{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1FB0-61BA-A200-00000000CD01}2036C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000064848215Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-ConnectPipe2021-12-15 20:42:58.270{B81B27B7-1E7A-61BA-0F00-00000000CD01}924\TSVCPIPE-9dd9f28d-4e26-4e42-abac-f9d135133220C:\Windows\System32\svchost.exe 17141700x800000000000000064848214Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-CreatePipe2021-12-15 20:42:58.270{B81B27B7-1E7A-61BA-0F00-00000000CD01}924\TSVCPIPE-9dd9f28d-4e26-4e42-abac-f9d135133220C:\Windows\System32\svchost.exe 10341000x800000000000000064848213Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.270{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-0F00-00000000CD01}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000064848212Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.188{B81B27B7-1FAF-61BA-9F00-00000000CD01}9881016C:\Windows\system32\csrss.exe{B81B27B7-1E7A-61BA-0C00-00000000CD01}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\winsrv.DLL+7de7|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064848211Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.188{B81B27B7-1FAF-61BA-9F00-00000000CD01}9881016C:\Windows\system32\csrss.exe{B81B27B7-1E7A-61BA-0F00-00000000CD01}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\winsrv.DLL+1ef0|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5178f 13241300x800000000000000064848210Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:58.170{B81B27B7-1E76-61BA-0100-00000000CD01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000002) 13241300x800000000000000064848209Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:58.170{B81B27B7-1E76-61BA-0100-00000000CD01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000002) 13241300x800000000000000064848208Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:58.170{B81B27B7-1E76-61BA-0100-00000000CD01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 13241300x800000000000000064848207Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:58.170{B81B27B7-1E76-61BA-0100-00000000CD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000002) 13241300x800000000000000064848206Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:58.170{B81B27B7-1E76-61BA-0100-00000000CD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000002) 13241300x800000000000000064848205Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:58.170{B81B27B7-1E76-61BA-0100-00000000CD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 13241300x800000000000000064848204Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:58.170{B81B27B7-1E76-61BA-0100-00000000CD01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000002) 13241300x800000000000000064848203Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:58.170{B81B27B7-1E76-61BA-0100-00000000CD01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000002) 13241300x800000000000000064848202Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:58.170{B81B27B7-1E76-61BA-0100-00000000CD01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 13241300x800000000000000064848201Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:58.170{B81B27B7-1E76-61BA-0100-00000000CD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x800000000000000064848200Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:58.170{B81B27B7-1E76-61BA-0100-00000000CD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 13241300x800000000000000064848199Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:58.170{B81B27B7-1E76-61BA-0100-00000000CD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 23542300x800000000000000064848198Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.170{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE181649FFF391285D5A1A989BA4FF81,SHA256=8E88EAF7C552DE4578FB658C1C949B96FC1059CCBD54E8A50CAAB42DC5C2773D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848197Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.155{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator.ATTACKRANGE\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpgMD5=415906C8B3322DDB6035632BCDB4741F,SHA256=FD344824B6CA1C11E861E38A45E5C385DB9B43D610B58CCFC6E1E40B2247ED0E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848196Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.155{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BF7A48DEA94806BCE4EFBDEC5D47962,SHA256=84DB20C4DA30B824D29F2FB16E10575B67692A71A54FCA3ED418A8DB09D168B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064848195Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.139{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1FAF-61BA-A000-00000000CD01}4064C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848194Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.139{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1FAF-61BA-A000-00000000CD01}4064C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848193Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.139{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-5352-61BA-6C07-00000000CD01}1112C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848192Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.139{B81B27B7-1E7A-61BA-1600-00000000CD01}11843272C:\Windows\system32\svchost.exe{B81B27B7-5352-61BA-6C07-00000000CD01}1112C:\Windows\system32\TSTheme.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848191Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.139{B81B27B7-1E7A-61BA-1600-00000000CD01}11841228C:\Windows\system32\svchost.exe{B81B27B7-5352-61BA-6C07-00000000CD01}1112C:\Windows\system32\TSTheme.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848190Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.124{B81B27B7-1FAF-61BA-9F00-00000000CD01}9886100C:\Windows\system32\csrss.exe{B81B27B7-5352-61BA-6C07-00000000CD01}1112C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064848189Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.124{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848188Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.124{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848187Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.124{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848186Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.124{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848185Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.124{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848184Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.124{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848183Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.124{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848182Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.124{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848181Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.124{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848180Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.124{B81B27B7-1E79-61BA-0500-00000000CD01}412972C:\Windows\system32\csrss.exe{B81B27B7-5352-61BA-6C07-00000000CD01}1112C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064848179Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.124{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325928C:\Windows\system32\svchost.exe{B81B27B7-5352-61BA-6C07-00000000CD01}1112C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848178Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.124{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1700-00000000CD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000064848177Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.127{B81B27B7-5352-61BA-6C07-00000000CD01}1112C:\Windows\System32\TSTheme.exe10.0.14393.4169 (rs1_release.210107-1130)TSTheme Server ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationTSThemeS.exeC:\Windows\system32\TSTheme.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{B81B27B7-1FB1-61BA-A4CD-080000000000}0x8cda42HighMD5=D5E6B1DA9AEE1CC85A50894A07700B98,SHA256=3A22AAA677B8B658386F6A22ECFB36795DC1BE55AED591FEAA05CA8D36973464,IMPHASH=851EBF0BAEED8A212E02B93229FDC674{B81B27B7-1E7A-61BA-0C00-00000000CD01}732C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x800000000000000064848176Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.124{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848175Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.124{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848174Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.124{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1400-00000000CD01}368C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848173Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.124{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1400-00000000CD01}368C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848172Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.124{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1400-00000000CD01}368C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848171Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.124{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325928C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848170Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.124{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325928C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848169Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.124{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325928C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1600-00000000CD01}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848168Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.124{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325928C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848167Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.124{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848166Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.124{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325928C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848165Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.124{B81B27B7-1E7A-61BA-0C00-00000000CD01}732912C:\Windows\system32\svchost.exe{B81B27B7-5350-61BA-6A07-00000000CD01}4248C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848164Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:58.124{B81B27B7-1E7A-61BA-0C00-00000000CD01}7325928C:\Windows\system32\svchost.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000064848163Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:58.071{B81B27B7-1E76-61BA-0100-00000000CD01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000001) 13241300x800000000000000064848162Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:58.071{B81B27B7-1E76-61BA-0100-00000000CD01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000001) 12241200x800000000000000064848161Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-DeleteValue2021-12-15 20:42:58.071{B81B27B7-1E76-61BA-0100-00000000CD01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1 13241300x800000000000000064848160Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:58.071{B81B27B7-1E76-61BA-0100-00000000CD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000000) 13241300x800000000000000064848159Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:58.071{B81B27B7-1E76-61BA-0100-00000000CD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000000) 12241200x800000000000000064848158Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-DeleteValue2021-12-15 20:42:58.071{B81B27B7-1E76-61BA-0100-00000000CD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0 13241300x800000000000000064848157Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:58.008{B81B27B7-1E76-61BA-0100-00000000CD01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000001) 13241300x800000000000000064848156Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:58.008{B81B27B7-1E76-61BA-0100-00000000CD01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000001) 12241200x800000000000000064848155Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-DeleteValue2021-12-15 20:42:58.008{B81B27B7-1E76-61BA-0100-00000000CD01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1 13241300x800000000000000064848154Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:58.008{B81B27B7-1E76-61BA-0100-00000000CD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x800000000000000064848153Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-12-15 20:42:58.008{B81B27B7-1E76-61BA-0100-00000000CD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 12241200x800000000000000064848152Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-DeleteValue2021-12-15 20:42:58.008{B81B27B7-1E76-61BA-0100-00000000CD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1 23542300x8000000000000000132720003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:58.721{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19B1D2F96D30873A749F7B23C27BBE52,SHA256=2353272BDDD8F242E306D4DB1134899DBFD73D55D1589116A2DE14C162A29EA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848507Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:59.953{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8DEF702B2816F64ADC4508528790562,SHA256=C09C55B83C3DE7F73B6AD17BF649B8F5D602F663F9EF2377121AF736601B1380,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064848506Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.876{B81B27B7-200E-61BA-DB00-00000000CD01}4832C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.15win-host-987.attackrange.local52907-false184.31.16.178a184-31-16-178.deploy.static.akamaitechnologies.com443https 13241300x800000000000000064848505Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.localT1122SetValue2021-12-15 20:42:59.254{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exeHKCR\WOW6432Node\CLSID\{F25728CC-6DE5-46DE-B1F1-3A701E1B200C}\InProcServer32\(Default)%%SystemRoot%%\system32\shdocvw.dll 13241300x800000000000000064848504Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.localT1122SetValue2021-12-15 20:42:59.254{B81B27B7-1E7A-61BA-1200-00000000CD01}1020C:\Windows\System32\svchost.exeHKCR\CLSID\{F25728CC-6DE5-46DE-B1F1-3A701E1B200C}\InProcServer32\(Default)%%SystemRoot%%\system32\shdocvw.dll 23542300x800000000000000064848503Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:59.154{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90F61D0A5CF2AC2E8005B83E034EB1DD,SHA256=09EE15424F3519D31BA558549DAFA3E1E593BB91F9A948C11326CEC5510398E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064848502Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.671{B81B27B7-1E79-61BA-0B00-00000000CD01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52906-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal88kerberos 354300x800000000000000064848501Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.670{B81B27B7-1E79-61BA-0B00-00000000CD01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52905-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal88kerberos 354300x800000000000000064848500Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:57.669{B81B27B7-1E79-61BA-0B00-00000000CD01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52904-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal88kerberos 23542300x8000000000000000132720012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:59.986{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29D73264C96E231B4848AC34D0784197,SHA256=6B4CBC56784883411241C79A874BC48E6E603551397F6406CD11DC496D873230,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132720011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:42.126{3BF36828-852F-61B1-2E00-00000000CE01}3040C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal61402- 354300x8000000000000000132720010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:42.125{3BF36828-852F-61B1-2E00-00000000CE01}3040C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal52154- 354300x8000000000000000132720009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:42.122{3BF36828-852F-61B1-2E00-00000000CE01}3040C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal65111- 354300x8000000000000000132720008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:41.937{3BF36828-851C-61B1-0B00-00000000CE01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal52906-false10.0.1.14win-dc-128.attackrange.local88kerberos 354300x8000000000000000132720007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:41.936{3BF36828-851C-61B1-0B00-00000000CE01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal52905-false10.0.1.14win-dc-128.attackrange.local88kerberos 354300x8000000000000000132720006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:41.935{3BF36828-851C-61B1-0B00-00000000CE01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal52904-false10.0.1.14win-dc-128.attackrange.local88kerberos 354300x8000000000000000132720005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:41.824{3BF36828-851C-61B1-0B00-00000000CE01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local389-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal49316- 23542300x8000000000000000132720016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:00.987{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=896342293DFBBF2A06F29C27727B92B3,SHA256=800136BE10565002C43F04F4E205DEF48BD58817B0B523AA090D10EA79C79BC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848515Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:00.637{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Roaming\Mozilla\Firefox\Profiles\ih5iuvko.default-release\datareporting\glean\pending_pings\39666fd9-b4ca-4bc0-b756-d5316d4004bcMD5=4964D1A7A9D39C382E3A669E81A23DF3,SHA256=FFD4AEBF7E39278430B9C8AD36528B3E18812424C382581E16A697D00A6E87E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848514Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:00.537{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Roaming\Mozilla\Firefox\Profiles\ih5iuvko.default-release\datareporting\aborted-session-pingMD5=0DBC3529A319CB677E5C48520051C659,SHA256=519C5B5166AC20C7F8544EEF2EA4527653DA2174B67375266DCA7450DD4A0E85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848513Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:00.521{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Roaming\Mozilla\Firefox\Profiles\ih5iuvko.default-release\datareporting\glean\db\data.safe.binMD5=D3F25D81FFEB8E395467FFB00123BCB0,SHA256=D38101990EACFA3FF0FEB15E8A73B01F256C3A252345C7A28E934F46FC0119FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848512Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:00.521{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Roaming\Mozilla\Firefox\Profiles\ih5iuvko.default-release\datareporting\glean\db\data.safe.binMD5=D3F25D81FFEB8E395467FFB00123BCB0,SHA256=D38101990EACFA3FF0FEB15E8A73B01F256C3A252345C7A28E934F46FC0119FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848511Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:00.521{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Roaming\Mozilla\Firefox\Profiles\ih5iuvko.default-release\datareporting\glean\db\data.safe.binMD5=A554D520B33F48E1AB1F6560F93BA7FD,SHA256=EACBD77FBB2D948145755C5B8EBA840D62FF48E22A2EE1FC0E996918437FA691,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848510Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:00.521{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Roaming\Mozilla\Firefox\Profiles\ih5iuvko.default-release\datareporting\glean\db\data.safe.binMD5=78EA7F155FE30CBE3097E605AD2222E2,SHA256=A9E2293F30893DB7CBB98763D873ED1B740D8BA7A1B669202E170994E4A02DD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848509Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:00.521{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Roaming\Mozilla\Firefox\Profiles\ih5iuvko.default-release\datareporting\glean\db\data.safe.binMD5=383D66DF456401C461CC73CF8C5E1628,SHA256=6A575A1BBBF505905C9809320E14DEC8EF6DC531F17D403C61048C91883BAB5A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848508Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:00.168{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE0BF386D3A68BF390F50D62FA21A4D4,SHA256=4F179C490CAC7854417DBD43EB4EAE41791ADB898D795514D36D9B5B7C8AABE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132720015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:43.322{3BF36828-852F-61B1-2E00-00000000CE01}3040C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal49857- 354300x8000000000000000132720014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:43.320{3BF36828-852F-61B1-2E00-00000000CE01}3040C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal57152- 23542300x8000000000000000132720013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:00.330{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99E1D022BA331EE13F395DF174D06286,SHA256=AC84FE72EC3593E72E18C635D5FF3162EBABBA09AD65AB0C0C3DDDD73423C17D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064848525Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:01.968{B81B27B7-1FB2-61BA-A500-00000000CD01}28487040C:\Windows\System32\rdpclip.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a30ce|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848524Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:01.968{B81B27B7-1FB2-61BA-A500-00000000CD01}28487040C:\Windows\System32\rdpclip.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a3038|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848523Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:01.968{B81B27B7-1FB2-61BA-A500-00000000CD01}28487040C:\Windows\System32\rdpclip.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+a301a|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000064848522Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:01.968{B81B27B7-1FB2-61BA-A500-00000000CD01}28487040C:\Windows\System32\rdpclip.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+a301a|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000064848521Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:00.342{B81B27B7-200E-61BA-DB00-00000000CD01}4832C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.15win-host-987.attackrange.local52908-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x800000000000000064848520Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:59.067{B81B27B7-1E7A-61BA-1400-00000000CD01}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c850:bba4:80a4:ffff-50041-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x800000000000000064848519Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:59.067{B81B27B7-1E7A-61BA-1400-00000000CD01}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:7073:809d:70b7:7bb9win-host-987.attackrange.local50041-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x800000000000000064848518Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:59.067{B81B27B7-1E76-61BA-0100-00000000CD01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255ip-10-0-1-255.us-west-2.compute.internal137netbios-nsfalse10.0.1.15win-host-987.attackrange.local137netbios-ns 354300x800000000000000064848517Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:42:59.067{B81B27B7-1E76-61BA-0100-00000000CD01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-987.attackrange.local137netbios-nsfalse10.0.1.255ip-10-0-1-255.us-west-2.compute.internal137netbios-ns 23542300x800000000000000064848516Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:01.187{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E0453D73171733E5E7171051C2D974D,SHA256=1E8F737CBA56295B30FCDD18C0CECB90DCAF00836E5355ECE0645AA6CDD86B78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132720018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:44.175{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60094-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132720017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:01.471{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71C6E8B94F074ADF8FC5611C03956892,SHA256=FEC6A151BC20507A02D224B9657FA9AC0567AC58BA4DD2283165022021B1FC30,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848526Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:02.222{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1669A604C829B8A6C164D1BC6C99F998,SHA256=494448BCC4671371C170DFBA12CB583A1DEC8E45A62D0CC5A21DA1CEDD575BB1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:02.502{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA8D3086A341C76FD4029EF1E38B9866,SHA256=124C80A7470DE2BC0C7B75B290F14AD84DF78E05D73C8252A44B2E8560BFC19E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:02.002{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5A8B6582F5C733291DA1A3D427B25E0,SHA256=DD790A85F3F52E475753EF0052D47439C112EAB444635C40BCBD6A01868FE50C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848527Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:03.222{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAD779B956464DB798DF9A95870C67A5,SHA256=5977277EA3A53025FD4FAB8760E437F6DD2753F9625DB29A4636816576177017,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:03.768{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B04DC608C9E45459B58F5761B31CF1A6,SHA256=572779839DABBFB6DF8D2B0E13282BB886350BC7367564AE0601C464A48AAA08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:03.018{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46365E2338A2AA1B0A339FF553FA8A6A,SHA256=DC607F7B60925B27FFF49A40A08AE99B4F03EDF898A16F8E300324B95776E996,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848528Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:04.236{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD1076BC11FE9BA66AE646F420D46044,SHA256=74B812FDDDBD8DE8AEA52F6E519CD06CF77BEAADF6B2DAA49B60A80AC9440E83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:04.033{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=772B8D1AE1AE74EC66A3969DECDB3B3E,SHA256=F05C3986F45D9B37519DFC7822DA77BDDDA8EB37A695CB39D10698780E43D7D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:05.268{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F942529DE9A3AC6904954A0B4F05915,SHA256=8F33BB8341AA662B8CC5254ECAB71DB4BED039090C4B3002DED61B8CCB2A8AD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:05.049{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D47CCF2205ADAF0E672701C4D2085755,SHA256=A6A8E4B98CE29561B4A5C98BF050770D398DF753003E8E998BFFF07545E52768,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848532Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:05.252{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5037D1842CE8388D5CE37CB439D99E7A,SHA256=11209D7DC0B86CB16BA428C0E93CE90284978B9FE273B400692E3F41FF74987B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848531Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:05.252{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFD25E02DEF1D9177B2EF7928264D70E,SHA256=AA37DC622690AF859E09BFD8F2CB233295F6C014201FCA49FF320401E32CC774,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848530Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:05.252{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2938E00F927CB416198509DA66FD65D,SHA256=78199D1B57C833F85798209608359437EC04F51396E4CB5C4BD5A912D22B8EC6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064848529Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:03.003{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52909-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000064848533Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:06.268{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E04265EF97816400E7BF0110708FE82,SHA256=AD549BD8F3BC1F501060B941CBA6645F6E25D0274C3C0C5E47F47975D6361E1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:06.377{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8304E226B3E19A19751E230724D1D87,SHA256=A9E1019C6F3703CEF362891C22E065D96075B5F59C89D3A91743A56E24D2E4EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:06.065{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A8E27365E1ADFB18241C4A2ACD3FDC0,SHA256=E5ACFB4374DFD5D973FC4FFDA985FDC8E7E27847E6CF4C98DCCC4D908D53C756,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848535Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:07.486{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC71DEFE58DD9A8F3E2755491F2151C3,SHA256=306AC2551F1EC987E611F2A6AFDDBF902C39944D39BB8665EE37F4E0B3BBEF38,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132720030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:50.081{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60095-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132720029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:07.518{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF162C5EDA4AAC514806052D559E477A,SHA256=AF0C9EF24CF2F72BEA68774397C18D592A99EBF201E958ACCDB167102D62577A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:07.080{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8B53BA8B33150D6933D145D9EA68F4A,SHA256=C7F729150FA4187D99D49BA38C9595E28B35158D4E7B97B009621576D8CCBF87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848534Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:07.422{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Roaming\Mozilla\Firefox\Profiles\ih5iuvko.default-release\datareporting\glean\db\data.safe.binMD5=32FA204EE4F60A71B3DE3EC7DB4B0077,SHA256=BDBAC288545DF3FC79A5AF5D1D67FC9CD8FD5F3B9029834B5F3E83DA75397247,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848536Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:08.504{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0FFBF850C820CD782FBB71CCC3B5CB1,SHA256=CC4E6238DE8A3205264A517E839F55BB47EBEF75DB0E135C0B3126E121F0FDD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:08.783{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5375BB36CC5B5D7C48D4C8A489069ED,SHA256=0DB6983BF4AFE351E7A1C4D332A8A7623EAB292F017C263E2E5DB27F80380D9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:08.096{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D55E5CAC7F918F45CBE3859D9E4B2AA,SHA256=BD7437501C118D7BD606722C844CE73DC7C5BED07CC3BB7182E5E5C94A39F042,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064848538Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:08.019{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52910-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000064848537Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:09.522{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3AC8A3ADF6C2AD86075ECF2A89DB78F,SHA256=34E8649C162FE55DD164CEFB144A8B85CDA0787A2E1664EAA530EBA14AF0E97B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:09.111{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93E6FE80C3058FF66383DF950E404F94,SHA256=80DE27E1A236BE88CC5D33989BD1B720372B4B529A919E25888E68F7B7A18446,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848539Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:10.706{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15D31C5A14042EEAD8133824DC630A0E,SHA256=29CA39571ED00D0251A56B8F9FD419E7AC6177438B259A260FF4BD0AA48856EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:10.319{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=686574D8643B4922E97367E448BE05AB,SHA256=12B913CF6F743B8A187C4B0F52CF542F9C46DF11886807380E52B84E2DD06261,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:10.131{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D54E173AE9A529B8F62AE30DD3BDA87,SHA256=E2C11C669EFEA629D4BEDE3BC18D70B619663ACFB9BB2F7C27FB1CF28D2D8FC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848540Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:11.759{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EF5AD0CAF01D7F00D5F8C11C03FC7C0,SHA256=A776766946FE93258E69D51649F5A07F302BA36A54F27931397A26E032082C3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:11.397{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0984D354DEA7CAC79CE5F7026BD9C1B4,SHA256=315F60B8C4AB92A4C41289C7ECED45187012A5CE3CD27F8F5073DBEE0A44BBCD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:11.131{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E071FA1C9FAC375F5DBC85CA2C0367AE,SHA256=BE1B89203C59DDA8B00C21B36FCB5FA01F09D9C0846F5CDBE695D528F299D7D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848542Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:12.774{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC3EAC485C3675A13B2E6A91FB920DBB,SHA256=0DED707F51893613F1988843006D31A87E8C19E5DF9A9A7F318819FEBDC777F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:12.538{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6CA79A2C91D7012BEE3E8B7460C5D6F,SHA256=EBF7D247E45C9CB2768F16A6B8A5B54ACDD3C7FBA22977BE939C8D0165DCC503,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:12.147{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=507C1F695FADC27164862F3969AF54EC,SHA256=CC1DE171B79AED251CB495CEA2C1CC3230C7C64844F1D9CB17A778DD0E84A569,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848541Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:12.443{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Roaming\Mozilla\Firefox\Profiles\ih5iuvko.default-release\datareporting\glean\db\data.safe.binMD5=769A14A8AFCE33AF234773731172DBD4,SHA256=9645DBC33B2A53019229104C11FB08D4E8196C25CFA9DA84B9A20257E8F02840,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848543Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:13.799{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E33EFB9F7731C3C1ED46DFECCAD7BEF3,SHA256=133D1B378485D51D030A6D9B2A04F84612D7E13742C433051EFB04B119798E47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.897{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EA7D88674167ACE8E1BFB59E7ECE162,SHA256=E90ACEEECCD9508103F4CF75134F0A103EC9C5464DD2D19ADC5D059117371A40,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.694{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14B3FFAC4770AEDF3E52863610544DBA,SHA256=52F5282543FC9FA4A069F189ABD8A64F596472F83B531E83AB616F602A6206A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132720097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.647{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000132720096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.647{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000132720095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.647{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000132720094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.506{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000132720093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.506{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000132720092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.506{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000132720091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.506{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000132720090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.506{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000132720089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.506{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000132720088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.506{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000132720087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.506{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000132720086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000132720085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000132720084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000132720083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000132720082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000132720081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000132720080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000132720079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132720078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000132720077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000132720076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000132720075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000132720074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000132720073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000132720072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000132720071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000132720070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000132720069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000132720068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000132720067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000132720066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000132720065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000132720064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000132720063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000132720062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000132720061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000132720060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000132720059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000132720058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-8530-61B1-3C00-00000000CE01}36683688C:\Windows\system32\conhost.exe{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132720057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000132720056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000132720055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000132720054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132720052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x8000000000000000132720051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-851C-61B1-0500-00000000CE01}412408C:\Windows\system32\csrss.exe{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000132720043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.491{3BF36828-852F-61B1-3500-00000000CE01}25683752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000132720042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.476{3BF36828-5361-61BA-6609-01000000CE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-851D-61B1-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000132720041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:42:55.132{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60096-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132720040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:13.163{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCD3B54FE192712E717917EF41502528,SHA256=80EE1F1D83D82003B72DCDAC0770D01ECDBEC131BF7913BAF842D6A9E32452F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848544Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:14.878{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAC3173937B61EF3AD4A6F1841139648,SHA256=469BD6BBE5D5C2CCA717A39D52626C195AACD9AA9C24A55D085BEDDF4E200813,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.804{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DE2BCC3D9C58988667ED2C9DB1A685F,SHA256=3FADDA5FDC0979F5D16C9DA07092744D71A87C59407538C95ECA8060FB1B8833,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132720219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.772{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000132720218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.772{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000132720217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.772{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000132720216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.772{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000132720215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.772{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000132720214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.772{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000132720213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.772{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000132720212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.772{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000132720211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.772{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000132720210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.772{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000132720209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.772{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000132720208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.772{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000132720207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.772{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000132720206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.772{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000132720205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.772{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000132720204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.772{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000132720203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000132720202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000132720201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000132720200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000132720199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000132720198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000132720197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000132720196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000132720195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132720194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000132720193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000132720192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000132720191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000132720190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000132720189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000132720188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 23542300x8000000000000000132720187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D658A1794BE96D124F3810DBFB80569,SHA256=7FEB18CB3B2FCD23410D3AAE5E69BFCD2CF500B993B04715CD0C07365D239AAF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132720186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000132720185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000132720184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000132720183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000132720182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000132720181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000132720180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000132720179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000132720178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-8530-61B1-3C00-00000000CE01}36683688C:\Windows\system32\conhost.exe{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132720176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000132720175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000132720174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000132720173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132720172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x8000000000000000132720171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-851C-61B1-0500-00000000CE01}412528C:\Windows\system32\csrss.exe{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000132720163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.756{3BF36828-852F-61B1-3500-00000000CE01}25683752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000132720162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.742{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-851D-61B1-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000132720161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.647{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FBE3C9DC59C9CB0323A15551349EA1BA,SHA256=CA206BCD5D5F06639C76AF054B1DE66BD14D50C9DEC44CE27B778EAC64BCAE44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.553{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0872F7E735CA368D502ABBC6CA694A44,SHA256=88AFB47D828036CAB95B100D9D5162DE422F97D93033FC05E7C10F1E760F5E4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.459{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F18FAA9CF37BF5399342F18C8D5FE0EA,SHA256=1D6693B23407C4B8A1269E8C13B347391F3490A1712A4C6551D699C3F349F2E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132720158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.366{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000132720157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.366{3BF36828-5362-61BA-6709-01000000CE01}980576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132720156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.350{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000132720155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.350{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000132720154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.350{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25149195EA83AA61F9FADF3BD96CE084,SHA256=DA7F99092A44422F4519E6AD9F2D3F81FAC8062D2480035B2911751F98895ED8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.257{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92F07B2CBBC06364F2719D4364E35B0B,SHA256=92731DA67EDD2E2EC86F52B182B35ED770FA6847D5B0E595BA5389DEAE6B7A6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132720152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.195{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000132720151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.195{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000132720150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.195{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000132720149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.195{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000132720148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.195{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000132720147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.195{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000132720146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.195{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000132720145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.195{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000132720144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000132720143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000132720142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000132720141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000132720140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000132720139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000132720138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000132720137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000132720136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132720135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000132720134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000132720133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000132720132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000132720131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000132720130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000132720129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000132720128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000132720127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000132720126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000132720125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000132720124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000132720123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000132720122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000132720121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000132720120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000132720119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000132720118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000132720117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000132720116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-8530-61B1-3C00-00000000CE01}36683688C:\Windows\system32\conhost.exe{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132720115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000132720114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000132720113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000132720112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132720110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x8000000000000000132720109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-851C-61B1-0500-00000000CE01}412428C:\Windows\system32\csrss.exe{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000132720101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.178{3BF36828-852F-61B1-3500-00000000CE01}25683752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000132720100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.163{3BF36828-5362-61BA-6709-01000000CE01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-851D-61B1-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000132720350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.991{3BF36828-5363-61BA-6A09-01000000CE01}54284684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132720349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.991{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000132720348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.991{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000132720347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.991{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000132720346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.944{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3190C38D3631098329CD4AE23C283613,SHA256=9DB6001723BD4377FED2FA9925E41C05198EF98EAEBC446C5C2EA5AF74C7CA4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.897{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AEB8567ACE2849FBCE18632E77BF601,SHA256=AA5971A69DAAF6129376188CBA9C29A2914A84BD3DA9EF94958F2032400D40B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132720344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.866{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000132720343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.866{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000132720342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.866{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000132720341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.866{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000132720340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.866{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000132720339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.866{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000132720338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.866{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000132720337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.866{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000132720336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000132720335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000132720334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000132720333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000132720332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000132720331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000132720330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000132720329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132720328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000132720327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000132720326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000132720325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000132720324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000132720323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000132720322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000132720321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000132720320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000132720319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000132720318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000132720317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000132720316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000132720315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000132720314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000132720313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000132720312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000132720311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000132720310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000132720309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-8530-61B1-3C00-00000000CE01}36683688C:\Windows\system32\conhost.exe{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132720308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000132720307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000132720306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000132720305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132720303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000132720302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-851C-61B1-0500-00000000CE01}4123064C:\Windows\system32\csrss.exe{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000132720294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.850{3BF36828-852F-61B1-3500-00000000CE01}25683752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000132720293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.840{3BF36828-5363-61BA-6A09-01000000CE01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-851D-61B1-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000132720292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.834{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94CD7D05C8A21EFB933699D4241349AD,SHA256=075BC860315465778939DEFCC752D2973B7336CEBBD4E920D4F92E207C0818DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.772{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A71B890A4B64C76DCED53B93F203E25,SHA256=FC787071AAD785BD9163862304480DCF0E1C7F2212C453D87C8E38F5857A2C53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.709{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E95E042DBCDB22492FDE7B113C290AE0,SHA256=595485A640BBB4410E72157261F0EF9A5B0A90F8277B0CBB598BFD45AD36781E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.647{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED23D31F7FCEBF85D244B4AEF182969A,SHA256=038766B256AB65CCAC489291C3084125B66510FF20D95B781007CEB125082377,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.584{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B34EF508D864B7ED92026889242813CD,SHA256=BC4A449CB0DBB05BFDB54869823414E07500EF940AF2CA3B42F9D21088237B27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.475{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FC808595EB178EF1D6FFE30604FA0D6,SHA256=1322415457C181DC9A46AC5177647811F78B8CE47C13432E045E99D85465FA94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.475{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEEAD57F6A33499083DB9AE03E451B35,SHA256=89C755163256EB1470656E8C97C4ECC1BA2A62F53471A5643DD8C50A93EC7220,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000132720285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.459{3BF36828-5363-61BA-6909-01000000CE01}28484944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132720284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.459{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000132720283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.459{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000132720282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.412{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B85EE80D6D4605C6D3399FAC72459597,SHA256=AA122485C5B8FF3884259D412EA11C8C7E0F051A6AD9E27B594C433643E10079,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.350{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87E614B4CE5985F7660A278D56433B71,SHA256=1FDAAD7CFDBAE7ECAB3EC8BCCE4DC0D38E6A911AD74AB7172C7D85D20544C118,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132720280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.319{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000132720279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.319{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000132720278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.319{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000132720277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.319{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000132720276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.319{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000132720275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.319{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000132720274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.319{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000132720273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.319{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000132720272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.319{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000132720271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000132720270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000132720269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000132720268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000132720267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000132720266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000132720265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000132720264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000132720263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000132720262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000132720261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000132720260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000132720259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000132720258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000132720257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000132720256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000132720255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000132720254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000132720253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000132720252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000132720251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000132720250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000132720249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000132720248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000132720247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000132720246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132720245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000132720244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-8530-61B1-3C00-00000000CE01}36683688C:\Windows\system32\conhost.exe{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132720243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000132720242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000132720241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000132720240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132720238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x8000000000000000132720237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-851C-61B1-0500-00000000CE01}412408C:\Windows\system32\csrss.exe{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000132720229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.303{3BF36828-852F-61B1-3500-00000000CE01}25683752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000132720228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.293{3BF36828-5363-61BA-6909-01000000CE01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-851D-61B1-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000132720227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.288{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24F4BE7FE5D92F7F6C46C736272A5D92,SHA256=C08801E82ACCEE002F2D2C001EEB1685D01EE3B156134B81B4CAF52F76E30255,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.272{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27ACB6059DFD260396CAA3CD0660BB9E,SHA256=42F0A5AC5AB277996C9E888A273D50DD5646435412D478C435F54F6700115C58,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.225{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=189E3C74EE040716C1D570B2DDCF2F89,SHA256=9E3678F02675F1267066BE5A065C5B327E54B05A100353177DF3BA769EEA1FFA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:15.022{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13739BB0F0AF4503C4098B43054CE7E2,SHA256=924966594429271506EC721381818E19DF8935B6CB72E73DBDE3CDBEFD7F70F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132720223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.991{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000132720222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.991{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000132720221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:14.991{3BF36828-5362-61BA-6809-01000000CE01}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x800000000000000064848546Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:14.045{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52911-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000064848545Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:16.031{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46D309C56FA0E850FA8206C1BFE6B76E,SHA256=2184201E421D81CB66289909D066038DB8B7DBA783E68C70C592476E274CFCF6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132720409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.662{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000132720408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.662{3BF36828-5364-61BA-6B09-01000000CE01}4672208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132720407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.662{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000132720406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.662{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000132720405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.553{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000132720404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.553{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000132720403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000132720402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000132720401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000132720400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000132720399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000132720398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000132720397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000132720396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000132720395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000132720394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000132720393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000132720392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000132720391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000132720390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000132720389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132720388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000132720387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000132720386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000132720385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000132720384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000132720383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000132720382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000132720381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000132720380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000132720379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000132720378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000132720377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000132720376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000132720375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000132720374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000132720373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000132720372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000132720371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000132720370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-8530-61B1-3C00-00000000CE01}36683688C:\Windows\system32\conhost.exe{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132720369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000132720368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000132720367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000132720366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132720364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000132720363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.538{3BF36828-851C-61B1-0500-00000000CE01}4123064C:\Windows\system32\csrss.exe{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000132720355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.522{3BF36828-852F-61B1-3500-00000000CE01}25683752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000132720354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.523{3BF36828-5364-61BA-6B09-01000000CE01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-851D-61B1-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000132720353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.491{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB26DC1E7B7D794C4FD612824D65AA82,SHA256=D972975E3BE25DCBC1F988F02F4BDB2F8F130D4118990D66BCFC66971FFFD10B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.131{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03884BC47EF7A427C28281AEFE236FED,SHA256=47C45066B06B78C57295253EDBE88286E2B2E04CE459C598733471C02C6E20FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:16.006{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2D71EF63993E468294836F282DED092,SHA256=A07347324B28691E6258DCCA90F6E75367AAA1E33748F3697EC708A28F837606,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848547Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:17.262{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D7041D54A122055D6492C9584026033,SHA256=690AEA2276689DB1892637480D643E519C14B96FD4D36DD007214E9193602A8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.678{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F79C86213E615B27211D8FC42EE2409,SHA256=735B587093918FEAFC55CF632D14CEA9DDACD6A970D90E5F11F96C7CD4C58C9B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.616{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5165ECA6BE86F87ED1DF4C7615E1A66D,SHA256=10FC233DE99328CA66C456C74036A1039163BA9BC84C3A31811FF32646609A3A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.553{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A5F7A9301AF9D0A22BAE40B02A26D44,SHA256=EC649BD0F3AAA452551D6253F219B5FBD9B758F3733E4E3988FAB4CF3B5DFA9B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.506{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E1C0E097D545FFB557A289E71B2E8FB,SHA256=2A9AAD1224F17CCF916A5F5494A6105065806811D9A2B03610539939F72BDE79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.506{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=266017EDD690F64F977836D7F3BE2867,SHA256=27B3B9A50B99C6C47791D4BA012D05928455F17A7E80D636F0CB067E4B35186A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132720465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.366{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000132720464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.366{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000132720463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.366{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000132720462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.241{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000132720461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.241{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000132720460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.241{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000132720459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.241{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000132720458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000132720457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000132720456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000132720455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000132720454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000132720453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000132720452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000132720451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000132720450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000132720449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x8000000000000000132720448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000132720447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000132720446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000132720445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000132720444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000132720443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000132720442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000132720441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000132720440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000132720439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000132720438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000132720437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000132720436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000132720435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000132720434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000132720433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000132720432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000132720431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000132720430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000132720429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000132720428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132720427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000132720426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-8530-61B1-3C00-00000000CE01}36683688C:\Windows\system32\conhost.exe{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132720425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000132720424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000132720423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000132720422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132720420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x8000000000000000132720419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-851C-61B1-0500-00000000CE01}412408C:\Windows\system32\csrss.exe{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000132720411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.225{3BF36828-852F-61B1-3500-00000000CE01}25683752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000132720410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.210{3BF36828-5365-61BA-6C09-01000000CE01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-851D-61B1-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000064848548Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:18.262{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84D2D9F6F1745B26A9A64778F8EF0564,SHA256=F4727E27B910C779D269B9B49B7A503F0AED41ACD03275E7B70AD5C82BF75D18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:18.538{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3432C6E51C938A1312FE73E0F113034,SHA256=654B7C786E28A8293E54DBF8E3ECB028D99ED1E414F4C9A472EF4E00C7A39F66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:18.303{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA7C72C38C7D4D4EA4B5278487A979F3,SHA256=4930AE3154D70FC47A1B6640D06795422827A1AF0E9D69B300F3B2C888530C0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:19.803{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EBB1C70C81E67A485DFF2CD3CC885A8,SHA256=D18EE98B8F00F587FF8716DFE7B664A8C89056FDC29B5074BD17BEAEE69AB81F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:19.803{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B84116D54F89587224330128E590181A,SHA256=5BEEB51CAB61BF3609DC6315C8B6BB33B8980235BE1F3777A257AB1D34E452C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848549Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:19.396{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E33A46ECDECE67044D7D447B74CAE23,SHA256=B3D4C1BD6A28C4D7F13193FC15475EF956D70112B4976D2C41AC02CC0D76A34F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132720473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:01.163{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60097-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132720480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:20.944{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53101BFFABC1359FCA7F12FD66D9AAFB,SHA256=65B925B058F0CB89FFD5E815828A40D0DE3F6AE5ED89AE07762242DE1743BCB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:20.944{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=204DE90CD0A339972C031D7F5E2674C7,SHA256=F632980E75884723DC99370761A0EE5467F49002A2C32ED9A34C3720904660B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848550Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:20.414{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FA70B4C923F891822A25028A9780E0A,SHA256=83FC1D61EE434C7B495FC1CAB78B78A1F22C064412A42FD721B4ABC17484C8B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:20.647{3BF36828-852F-61B1-3500-00000000CE01}2568NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132720477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:02.382{3BF36828-851C-61B1-0B00-00000000CE01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local60098-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000132720476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:02.382{3BF36828-852F-61B1-3400-00000000CE01}2388C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local60098-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x8000000000000000132720487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:21.959{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F45F9814E820D454D9D80A3C9CDE54B,SHA256=56B52A4D98F7A483BC275316250E77AA528C55316D32F474CFBD2D38FBFFD6C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848554Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:21.595{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C954009BE34933275A3D377C8DD06EB7,SHA256=646E7BBCCA53CCF04DC391C5A3C6E04A35AB771AD59B7250D2312081BC5F65B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000132720486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:21.522{3BF36828-851E-61B1-0D00-00000000CE01}896920C:\Windows\system32\svchost.exe{3BF36828-855D-61B1-9200-00000000CE01}5124C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:21.522{3BF36828-851E-61B1-0D00-00000000CE01}896920C:\Windows\system32\svchost.exe{3BF36828-855D-61B1-9200-00000000CE01}5124C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:21.522{3BF36828-851E-61B1-0D00-00000000CE01}896920C:\Windows\system32\svchost.exe{3BF36828-855D-61B1-9200-00000000CE01}5124C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:21.522{3BF36828-851E-61B1-0D00-00000000CE01}896920C:\Windows\system32\svchost.exe{3BF36828-855D-61B1-9200-00000000CE01}5124C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:21.522{3BF36828-851E-61B1-0D00-00000000CE01}896920C:\Windows\system32\svchost.exe{3BF36828-855D-61B1-9200-00000000CE01}5124C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:21.522{3BF36828-851E-61B1-0D00-00000000CE01}896920C:\Windows\system32\svchost.exe{3BF36828-855D-61B1-9200-00000000CE01}5124C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000064848553Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:19.118{B81B27B7-23EB-61BA-CF01-00000000CD01}1068C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_1207156\java.exeATTACKRANGE\Administratortcptruefalse10.0.1.15win-host-987.attackrange.local52913-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal8080- 354300x800000000000000064848552Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:19.107{B81B27B7-23EB-61BA-CF01-00000000CD01}1068C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_1207156\java.exeATTACKRANGE\Administratortcptruefalse10.0.1.15win-host-987.attackrange.local52912-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal1389- 354300x800000000000000064848551Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:19.096{B81B27B7-23EB-61BA-CF01-00000000CD01}1068C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_1207156\java.exeATTACKRANGE\Administratortcpfalsefalse10.0.1.16ip-10-0-1-16.us-west-2.compute.internal38332-false10.0.1.15win-host-987.attackrange.local8080- 23542300x800000000000000064848556Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:22.630{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C9FA60AD190A9D1184A21569134B228,SHA256=4D82F04546ACFAB5AF910744674D10905C5E735FABD95642F69148E135622552,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132720489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:04.678{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60099-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000132720488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:22.084{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F05CB8344EACF56EB96FD9110972C17,SHA256=C62DD1F4CA532DF0FD04880A7E1E5F62A5257232687F142D0291B97042652A27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064848555Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:19.975{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52914-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000064848557Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:23.695{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99C1407BADC5C4C68281E7AF3B250807,SHA256=145F7BA4FA8053D6846976E7373AC070892600D9D7D63C26A53FDB48387A30F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132720492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:06.225{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60100-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132720491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:23.319{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD7F4399FEE7E54E5FB61760D9DEE1DE,SHA256=F0DCB1A4F6E23E5867D89146F049C8DAB1B7B3B515DC64A47F4CDDEC919F00B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:23.006{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=742B5635908D7F5000750561F6ACD12E,SHA256=2AA9318ED6CB7CBF182D791563DEDDB03767C69EAD030533931C955FAF090EBC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064848589Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:24.775{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB4-61BA-B200-00000000CD01}4404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848588Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:24.775{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB4-61BA-B200-00000000CD01}4404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848587Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:24.775{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB4-61BA-B200-00000000CD01}4404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848586Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:24.775{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB4-61BA-B200-00000000CD01}4404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848585Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:24.775{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB4-61BA-B200-00000000CD01}4404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848584Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:24.775{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB4-61BA-B200-00000000CD01}4404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848583Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:24.775{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB4-61BA-B200-00000000CD01}4404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848582Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:24.775{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB4-61BA-B000-00000000CD01}4280C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848581Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:24.775{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB4-61BA-B000-00000000CD01}4280C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848580Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:24.775{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB4-61BA-B000-00000000CD01}4280C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848579Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:24.775{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB4-61BA-B000-00000000CD01}4280C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848578Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:24.775{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB4-61BA-B000-00000000CD01}4280C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848577Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:24.775{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB4-61BA-B000-00000000CD01}4280C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848576Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:24.775{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB4-61BA-B000-00000000CD01}4280C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848575Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:24.775{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB4-61BA-B000-00000000CD01}4280C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848574Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:24.775{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848573Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:24.775{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848572Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:24.775{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848571Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:24.775{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848570Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:24.775{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848569Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:24.775{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848568Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:24.775{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848567Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:24.775{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848566Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:24.775{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848565Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:24.775{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848564Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:24.775{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848563Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:24.775{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848562Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:24.775{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848561Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:24.775{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848560Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:24.775{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848559Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:24.775{B81B27B7-1E7A-61BA-0D00-00000000CD01}792812C:\Windows\system32\svchost.exe{B81B27B7-1FB3-61BA-AE00-00000000CD01}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000064848558Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:24.759{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E533340438C45DCC82B82076BD1D7029,SHA256=8118CDB98D852715A39AC6BFD6F3ED7375BE11CCE59F5D082708C2E2F230947B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:24.459{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7C75F0DA730ADD63F009DF9A52EE338,SHA256=B8CF43428A4899A3CBF825EDD597241C1A21E193BD526BEF648FB22D958EB560,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:24.225{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D134711330AF5013631AED2A4917AFD,SHA256=38795188162B0CD38AA01BA4169465DC23867AEF218D85E7AB6FECE5F191CB7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:25.756{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCF7AA691EAB092C78F2DD2F0AD452E8,SHA256=D2CB6F505EB0DCB8D925AE607EE496A96EC7CE711687B47375A6E812B501F987,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:25.319{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F083D49B4952AE88CF792662D3B68B35,SHA256=B46F4FE93BAEB36DFBB35FB74682D5EAA4636FC7AD70E266578BD43BA073C2D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848590Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:26.027{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7565314E6C2330FED3D023C6E6E567C6,SHA256=0BEDFF69BBD0D297C2ABC75F8AE4E224A08DC76F83197303D97B75573962CD3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:26.334{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0D7771242D02CB6FB95CA0B14EAB002,SHA256=37CC505C8E6ACFF6058EF83571E221051EE6D2FBEF25EFAD9B3677346BE2F692,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:27.350{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5BD2647FC74DC3081CEFFADBA7CF736,SHA256=DB2257A0FAC0314080BFF05BD755AC1D52C6A72F1D6BC0176F0D191D59E848FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848591Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:27.172{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A055B1C29A357CC40B4F3E5DA8527D1B,SHA256=BBE25DEB7A8910E505CF45D50F2B00331BA2D10B47E24A0DA88A1C4ADCAA3818,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:27.006{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=684BB021B4CEFBC3B14EB46C6E91CFB6,SHA256=7FE380ECC9DE7B324515FF85EBFFA5E6BD113FAC2608C4498C77180E5C028B9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:28.506{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EF82833DA6733D89E0E431D47178521,SHA256=8827DA2F1DEBFB8F69357881C94E57A39839BE99B30E02169F0F80C2375790AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064848593Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:25.975{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52915-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000064848592Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:28.224{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8166FD75754C74FCC8C9951F1847FCBE,SHA256=4100BC111DB297F8E4A93C58099914C9556E2B8F165D27FF0B03F23442ABE7F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:28.038{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BD98291C8BD2CD60D916D94B6075FA6,SHA256=6F2F5DFCC2A09D62D15C751287EC108ED73803130715F4E1F299402121C81F89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848596Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:29.940{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8F3657505C2DAC655BC49732BC3DAE9,SHA256=76C0A2738924B3F12CA1F6C97B85D58374A6B0282401E46F186AA0E59E2F5D33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848595Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:29.940{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5037D1842CE8388D5CE37CB439D99E7A,SHA256=11209D7DC0B86CB16BA428C0E93CE90284978B9FE273B400692E3F41FF74987B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848594Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:29.291{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=193809937DAD76D573F3DCA69924BC4C,SHA256=462EE49E00A424E199B1D2988D0566A0EF298E48D01F471F892C0ADE818F6E8E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:29.525{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11371A7A21159756BAAA8B6653749C7B,SHA256=6F25AA2DFF242D73409327E9EEBD6972E906C55D45C059812A6D4155A59E478F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:29.116{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86E0FF2BCFA4BE05537153FADDC90F08,SHA256=98409693C34A0FC7265A143DD827E878A2ABFE5D54FA42EF78B04409E39BBE1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132720506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:12.133{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60101-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132720505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:30.541{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C6F2F18722D6E27AA925116DF68E9EC,SHA256=73DB434B3FA5FA73D3CC76AC74E53CA6B6A3D1F3571155BD83B0E2645C04F8F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848597Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:30.471{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=625B23E9C3224FCADAC990A38605FAEE,SHA256=3E1765AF268B29F44CFA6B522EB2CBCECE504E9A9C92AC27457F62C2CBF3AD69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:30.135{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA0F300E264AEC11594CE59DD9B4EEB3,SHA256=917FA2802C69019D500DA8CADA7A9988AED9A1D514AF365799A45FBD024C2840,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:31.588{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E66989191644CEBD95EC22306854F8C0,SHA256=674D045356B867F1B74F20488384F30B4D88BD424495562835659BB35564A0A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848598Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:31.488{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC7D3DC4264DB7A721312C7974466676,SHA256=09E28156DC3FBBE8C8F36BCA92AF75E0107E5739E3AE9B0A70F3E31CFB18D167,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:31.400{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75D4A27C0C39CE25EE8E2D7A0855A470,SHA256=F359BDE83863C4872B9ED944781795F2DD01D1761266AEF246D014BEED6208E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:32.650{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F018F9736D61B32878E81E8E59FB59D,SHA256=C9450FE025C924F4CEE6C2F4EF06AFDCE10FCC3259A69C28D1CF85C782F6639F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848600Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:32.585{B81B27B7-1E7A-61BA-1000-00000000CD01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E89CA991828274B8EBF3C807DFAEA479,SHA256=4276C130C577705926690294277D750C3B8546DC6DB8876EEE7D683709D46165,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848599Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:32.506{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3935F8372CCC30A8D328B84DA28EDC7D,SHA256=9373ED01305C0F1733094524427E34CED9F65714C6AE1F4D9C24BA3E314E1668,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:32.588{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A98F6DF1F8F6B085C3B8B0A6DD714002,SHA256=5761681F9F364E14E2FC1AE4C4E919C99E945AB2C24965150211196FD4C5ED11,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:33.869{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BB392A8E51F9077DAAB15AA38155434,SHA256=A7D2105A5879CA3647D6DD5F66F96173130FBDC68E0D55A7B49C95957F7F78F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848602Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:33.736{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD1ADBC7C8BD72F022C1FF7040BF65FB,SHA256=1B0F197E361B7EF832400AE14609664CD062187CA41B8973A98431BDCA43F595,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:33.588{3BF36828-851F-61B1-1000-00000000CE01}92NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A7A2F8A9230528D31C4AA4F940CEA59D,SHA256=474E16856FC622BDD69774ECF75B31AC88B95FB8D596B59E2275607872D10828,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064848601Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:32.005{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52916-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132720515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:34.869{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EFAAB3779B728A22950D843188A933F,SHA256=46305E3D7D81D305A81DC7493589E182DF19698D5BCED8A1874AB283E1E723EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848604Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:34.737{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C431F315E650781FDFF24AE9478BB20A,SHA256=DA41C63C0A9F3FE07FB911A43C5857A2CA40599FA5ED6AB95DF2B721DB1FFBE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132720514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:17.228{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60102-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132720513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:34.072{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=548B37B67AE2A3DA1DE2D1BB58B464EF,SHA256=73D320BF873B741A0F387816FDEAB968E8D66534C40EFA753D850444BD56207A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848603Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:34.152{B81B27B7-1E7B-61BA-2000-00000000CD01}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848608Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:35.868{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10D7E2B114351C78FBA9B998956889CF,SHA256=0DE4816F53455EAAD9F72EB24E8B6374767F2951C5B439ECCF68148C41B825B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:35.135{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18FD9976E7017DD4A4BCC8A44C172A74,SHA256=D060C3EC8713591F726297ABDD44E1F0C07C6940C85E7F302A94EB467FD48A78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064848607Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:33.919{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52917-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000064848606Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:35.037{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E5241E392C915586F184EA832E3F3A0,SHA256=018C83CCAD64F508F94286CF6B2D8C527CA57EDAD0F2F7171FAFF94369B97FF0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848605Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:35.037{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8F3657505C2DAC655BC49732BC3DAE9,SHA256=76C0A2738924B3F12CA1F6C97B85D58374A6B0282401E46F186AA0E59E2F5D33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848609Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:36.885{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F56F5E2A3F9656C52C49F0875B925002,SHA256=F8DB7D05A02A45CACD2C9C51154D14BB35916A4D220601D59730B1331437FAFA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:36.478{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAFFE6AEAD82CB409DDEB746EEB1BF3C,SHA256=DE296E902148E4580580B19D19A3C727C384601FEB921BBD66F9CAAD88E1CC9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:36.103{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE88572ADCF7A5B38D87B8DAB55788D3,SHA256=8A15054537E79A3AAFC54A3CE801F95881BF27FF6BABA4D9DAAD29F9D35DD188,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848610Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:37.920{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F429BCF051DF0C796C389ACB2341A17B,SHA256=368F674DC17647EA869199267D8EBC864040C5BB20DE04C7D59B3DBF9BADA855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:37.495{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF46394F8488B72E6590EBAD94D325CE,SHA256=F605D778460CC7986D1979B3584F1C04481E9910DC07218153061A7D31251606,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:37.120{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15EF45DB58EC15920DA26475CF7C94A8,SHA256=CA08144B3F6442F290984EBFDAEBE2C6E1828ECEA7DC7496C29A319606BC805D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064848611Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:37.034{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52918-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132720522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:38.637{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAAF88638AF775F5052D9B3A065EC5BB,SHA256=976D4BB501807EA731E7E3E1A319BDE9A75C3C43A7142834FC68E6F5D0C3F534,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:38.133{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF96D9D43F629531247B0AA5DEB66509,SHA256=DA9D8F13D0D5148C608E3159F61567E27738E82BBAC92226E1EF700FF4DF6A36,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848612Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:39.150{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43A7484BC23C029E1FA1BBD14D96943F,SHA256=329FB22FE332925C4B3914BE22F64E8BBD7FB253312CFE6CCADE0421BE906581,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:39.902{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42F6CA0E2863F7C692E18BF9A4B4DF90,SHA256=7315B686D5A23E26583F0068A80B7B33D65CEDBCB0D148A473EDCF6335CE0EB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:39.137{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FC44D7B83DDAA39DA9EBE4D5A070FBD,SHA256=BAA5A477416CE8C54C49B8C133A1584250BDB5D719A2C2D268DCBDDFA272B61E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848613Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:40.265{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD045509D49382AEE86C1DB2A3EE31D0,SHA256=3EBB79B338EFADFE2BDBC9CD6A6F43F026FB941B3AE038687CF33CC54CDCC192,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132720526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:23.089{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60103-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132720525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:40.152{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F32735AB1C726040C0961F29F960BA7D,SHA256=2AF240FC5A1AF0020EDB4093A98EA1BD8DD5D43D12114359CE72D765FD931E63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848614Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:41.484{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DCEF0654480626F8DEC6D61E04D5251,SHA256=54305160E22F2C358637A9DF46A61AB80A7B0FEAC2261114D0144D2B5EEB3F14,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:41.402{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31E7139AA432CE40FCBE2035C3984C8B,SHA256=902FD6381CC39CD9802244CC4E48088BC56786D7842F10F0C61E865211CC7D44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:41.184{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B517B256E73C9D399F3649BD197FA3F,SHA256=6CBFD377BF7AA0FCB8232C9F4CC80D5729B1963EFF689C879448176CBEE4CB7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848624Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:42.504{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84B679CE67D46555A03FA8A478B16D98,SHA256=106E895F4D8FAE43A2067BDA69682387F24004D4355198A88937AE78D560587B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:42.543{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=070F77C088B93D6D72DC85618ED2032E,SHA256=2519B6A665BACDB196E023D96289C607539729DBBB5A9795DAC70E1091570A85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:42.199{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B4E95AD5E7539DDF3B8A4140C1C3B1D,SHA256=71411B2AC6390742BC8D5DF479DB1E296D6FCC445112AAA38E42A58F1E62AC80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064848623Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:42.483{B81B27B7-537E-61BA-7107-00000000CD01}66206932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848622Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:42.294{B81B27B7-1E7C-61BA-3000-00000000CD01}31843208C:\Windows\system32\conhost.exe{B81B27B7-537E-61BA-7107-00000000CD01}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848621Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:42.292{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848620Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:42.292{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848619Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:42.292{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848618Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:42.292{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848617Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:42.291{B81B27B7-1E79-61BA-0500-00000000CD01}412428C:\Windows\system32\csrss.exe{B81B27B7-537E-61BA-7107-00000000CD01}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064848616Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:42.291{B81B27B7-1E7B-61BA-2000-00000000CD01}11963772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-537E-61BA-7107-00000000CD01}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000064848615Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:42.148{B81B27B7-537E-61BA-7107-00000000CD01}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-1E79-61BA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000064848643Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:43.900{B81B27B7-1E7C-61BA-3000-00000000CD01}31843208C:\Windows\system32\conhost.exe{B81B27B7-537F-61BA-7307-00000000CD01}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848642Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:43.900{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848641Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:43.900{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848640Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:43.900{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848639Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:43.900{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848638Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:43.900{B81B27B7-1E79-61BA-0500-00000000CD01}412972C:\Windows\system32\csrss.exe{B81B27B7-537F-61BA-7307-00000000CD01}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064848637Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:43.900{B81B27B7-1E7B-61BA-2000-00000000CD01}11963772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-537F-61BA-7307-00000000CD01}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000064848636Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:43.771{B81B27B7-537F-61BA-7307-00000000CD01}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-1E79-61BA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000064848635Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:43.516{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F05FFB823FBA50AF0C7525C053F4E2E9,SHA256=12E065E5551147094E2C20D51701C07E644EA014AC77A05155D7B4A86AEDF82B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:43.684{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A86FE26BA98E1D9E416D9F6381CE130C,SHA256=801C91D7B2EE1B2F33D64765405C5DD943044B4907FADEF65C7EFC53E47DB622,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:43.230{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53DD7C9B94F82F90D2BEFCA3D8FE10B6,SHA256=8FE8147766A13F74740574BA4CF6A98FC7D56DBFB43D94C86B7B0272220357BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848634Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:43.185{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53936BDD7830159CAECF296A4F8A1836,SHA256=6D61A473C3F50B7531728351DB45BBC3FF7E6102B8556A5D2F20C8BB921A2190,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848633Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:43.185{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E5241E392C915586F184EA832E3F3A0,SHA256=018C83CCAD64F508F94286CF6B2D8C527CA57EDAD0F2F7171FAFF94369B97FF0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064848632Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:43.036{B81B27B7-1E7C-61BA-3000-00000000CD01}31843208C:\Windows\system32\conhost.exe{B81B27B7-537E-61BA-7207-00000000CD01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848631Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:43.034{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848630Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:43.034{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848629Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:43.034{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848628Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:43.034{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848627Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:43.034{B81B27B7-1E79-61BA-0500-00000000CD01}412536C:\Windows\system32\csrss.exe{B81B27B7-537E-61BA-7207-00000000CD01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064848626Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:43.033{B81B27B7-1E7B-61BA-2000-00000000CD01}11963772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-537E-61BA-7207-00000000CD01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000064848625Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:42.900{B81B27B7-537E-61BA-7207-00000000CD01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-1E79-61BA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000064848655Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:44.758{B81B27B7-1E7C-61BA-3000-00000000CD01}31843208C:\Windows\system32\conhost.exe{B81B27B7-5380-61BA-7407-00000000CD01}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848654Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:44.754{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848653Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:44.754{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848652Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:44.753{B81B27B7-1E79-61BA-0500-00000000CD01}412428C:\Windows\system32\csrss.exe{B81B27B7-5380-61BA-7407-00000000CD01}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064848651Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:44.753{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848650Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:44.753{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848649Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:44.753{B81B27B7-1E7B-61BA-2000-00000000CD01}11963772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-5380-61BA-7407-00000000CD01}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000064848648Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:44.570{B81B27B7-5380-61BA-7407-00000000CD01}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-1E79-61BA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000064848647Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:44.600{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BA75BCF8A6DB588248AE7F73B7005F5,SHA256=681D19867F95BCD3D90A87496563D281119E0477562529C3DBA94A520D765479,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064848646Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:43.031{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52919-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132720533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:44.246{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92F728CC3FC02982C8B1A868C3FA2F6B,SHA256=2FACDBF111E4FA1374B9BF9B71C826FB18529CCEAE6D5C1DFF69BB5E0C279AE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848645Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:44.269{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53936BDD7830159CAECF296A4F8A1836,SHA256=6D61A473C3F50B7531728351DB45BBC3FF7E6102B8556A5D2F20C8BB921A2190,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064848644Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:44.085{B81B27B7-537F-61BA-7307-00000000CD01}63327000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000064848657Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:45.603{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7EFB14B2890F251EC6869BFF01DFFFA,SHA256=A65AD70FEDDB231801B49379944B8915FFB3FD98076C11ED9E46ECA08942AE42,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132720536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:28.089{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60104-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132720535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:45.277{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C462F45636117326425EF08F67A0B738,SHA256=A51F7E9B98B9ED1FB9B9AEF14942CF204AB87713510C4B51EA8CAD1DC45B4919,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848656Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:45.588{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=116C1DE069D7252463698FBCBA6A6127,SHA256=6A051C04E47154139F25F3EBC135996C8570268BDD7E0A58D1319FA0FAA96A08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:45.012{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9F328BDDB1EEC60C45D5369CA539184,SHA256=75698CC478D2992938A497E168C41FFA17654D6D4E977676EAD8F945B04334D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064848667Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:46.917{B81B27B7-5382-61BA-7507-00000000CD01}69086504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848666Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:46.697{B81B27B7-1E7C-61BA-3000-00000000CD01}31843208C:\Windows\system32\conhost.exe{B81B27B7-5382-61BA-7507-00000000CD01}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848665Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:46.690{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848664Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:46.690{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848663Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:46.690{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848662Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:46.690{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848661Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:46.689{B81B27B7-1E79-61BA-0500-00000000CD01}412972C:\Windows\system32\csrss.exe{B81B27B7-5382-61BA-7507-00000000CD01}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064848660Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:46.689{B81B27B7-1E7B-61BA-2000-00000000CD01}11963772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-5382-61BA-7507-00000000CD01}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000064848659Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:46.550{B81B27B7-5382-61BA-7507-00000000CD01}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-1E79-61BA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000064848658Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:46.618{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=471D02F8D18F027FE75A45E71533BDD8,SHA256=099E2328DDAA32EFBE4464642738501046ED931544D2DDDA1487E1B5BF1DD38E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:46.527{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49AB0B8CB9E7CE8530E2734DD4589C60,SHA256=85EFB0FF938B2609CE9A36933CE0D274B50B6DABC6DF0EBB93F63C86621CDBED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:46.309{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2608CBCB3C08203892371CE53B5ABBB1,SHA256=C78F8FFE6B3E91147274623CE8226A89BB0A751DDAF978E07498973B4D202596,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848678Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:47.632{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01BB78D46F289B4D0B48D1EF41216CF4,SHA256=9207C3FB91E81AE1D0E67881DCB1A2982381C67D5384D8C1217BC7D5E362315A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848677Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:47.632{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE09508E9C1B951FC2880EA4E7B376E9,SHA256=FE3A8D3D9D579F0ED2B0F37B533017CED2238422C94FB1A415AE4F682AC8A3B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:47.543{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A76FEDF7168AED377B5453C0FD720E3F,SHA256=19E9C4C14EA819AE284B52DDC1568B34664FAEDB35883795E7D8646A2F0374E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:47.340{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA5A262B31BEE8906EB39F72B630325A,SHA256=1229A68F6EC4D9DD69987E2B9D3E5E1D0BE0497C2AF4592E1839DC1B54F6A170,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064848676Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:47.601{B81B27B7-5383-61BA-7607-00000000CD01}44125860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848675Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:47.432{B81B27B7-1E7C-61BA-3000-00000000CD01}31843208C:\Windows\system32\conhost.exe{B81B27B7-5383-61BA-7607-00000000CD01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848674Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:47.432{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848673Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:47.432{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848672Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:47.432{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848671Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:47.432{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848670Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:47.432{B81B27B7-1E79-61BA-0500-00000000CD01}412428C:\Windows\system32\csrss.exe{B81B27B7-5383-61BA-7607-00000000CD01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064848669Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:47.432{B81B27B7-1E7B-61BA-2000-00000000CD01}11963772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-5383-61BA-7607-00000000CD01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000064848668Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:47.433{B81B27B7-5383-61BA-7607-00000000CD01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-1E79-61BA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000064848687Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:48.647{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5138DB1D41074471CE4F4F5CB22C5025,SHA256=78943199EFB456B093894B5247589EF3933F1CD4986B52CF310A7EC86644E44B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:48.715{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC3F41D59732D1102BDC6C463EDD2166,SHA256=3A67CA69BF94428ECB90D892EEBF70B8CCEF41A70FE62C2DF731A30446673467,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:48.371{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CDBEB57B5F211D1F974ADF4E9C953CD,SHA256=DAA0D6526ACF26AB53E2B589ACE010D4AD8D5053D8540AB904CC164C6154477D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064848686Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:48.247{B81B27B7-1E7C-61BA-3000-00000000CD01}31843208C:\Windows\system32\conhost.exe{B81B27B7-5384-61BA-7707-00000000CD01}3896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848685Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:48.247{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848684Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:48.247{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848683Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:48.247{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848682Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:48.247{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848681Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:48.247{B81B27B7-1E79-61BA-0500-00000000CD01}412972C:\Windows\system32\csrss.exe{B81B27B7-5384-61BA-7707-00000000CD01}3896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064848680Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:48.247{B81B27B7-1E7B-61BA-2000-00000000CD01}11963772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-5384-61BA-7707-00000000CD01}3896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000064848679Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:48.116{B81B27B7-5384-61BA-7707-00000000CD01}3896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-1E79-61BA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000064848689Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:49.663{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7A4B528F30C36B3B06864A240860F21,SHA256=47B9DBF5A35A8143E9BBDE63E9E5288E3D17AB9233A9940C460FE41607D9CDCE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:49.933{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4700A368B75278AF78FF98F241942093,SHA256=DC25CA28D639003D94E1F72A27880F2BF5676F0F2E412087995EB6A7D7C2CB3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:49.402{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6829B370A4218A21D7A166BDD65D00FC,SHA256=20EA0BFF7658492ED0A410D6F6F33C9E87004DCE6C3D84B20BC0FCF3650D045E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848688Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:49.131{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B8915F459587C53E8C28A2D1D3D8D84,SHA256=5E25ED0B1AEB761A2049CB3F22E9168F4AF29818100255AC7E82611D6B6E5BC3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064848691Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:49.030{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52920-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000064848690Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:50.700{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AFA109D840B913339A4AABFAB0A96BA,SHA256=23E2D7D01EDCDB7641826FCA2B88235707CD1CC0BB6F2FF4610100135F464864,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:50.417{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DB2E5BC68D101DB0DC226E67D485272,SHA256=B37D361DB1521559FFA6650D2D5AC71FF3C48E838BB020861F4870286076CC8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848692Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:51.715{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A0F52FB271511EF86A373FBE336723F,SHA256=369B15F488751D17481BCEC902427DAB219CFDB777D01783B26CD4538DEADB24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:51.448{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=333DC1A280BD309BD7FD91BF2CC72151,SHA256=714DB5582C54F309586C09A90CCF34AB3EE7AB4543598C8DC7DFAD30563CD307,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:51.104{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28AF0D350A20CFFF812F50A7BA237429,SHA256=A3D3C661CD89C93853C5BC7FC67735F973A2397E858DEDBEA2583EB761ECF4D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132720546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:33.183{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60105-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000064848693Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:52.761{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D8BF93A879190184766B34CBA3031FB,SHA256=1516E2B8A3879500151958FE6D7E6CC53EAE56F9B3201FC1DD2E623F3B6D2818,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:52.558{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FA238208EDF785A5767DDB4328AE432,SHA256=6EA4FF897E8F5D8149A52953D529E4DED063B804075C43C3E4D96C929AD3C84F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:52.479{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A50B86C4718576971CEFF02950FC8463,SHA256=F1DEF52ED2556E56D20C3EC2D627CB5C7988A9AEB20E9635F1551B859FB8CB4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:53.729{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00442428243ED9F790AFE3C27B631E06,SHA256=522127EE0D3E0D54F9E5CDAA4B4F44AD5254855998D54BC47A25B89A1D8D0CFB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:53.495{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=045179B48205DE00052D027D0DA3FC3E,SHA256=C66C562CBBF5EE49F20806F14921EA0637AA29B2E2E1CB94FDEF5DF5E5C81800,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848694Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:53.797{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38F3D112DC2E285ED6C3F8D1E7E1CAF2,SHA256=87312C415506664DDCF5F3298BB0DCB84051DCDA2283D539024D34EAC1EED38A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848695Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:54.815{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8FDB81BFCA446D43A2F1E97700D182E,SHA256=72AA19F769BC01B2DF081BE89E4A54DA4149D3BC825DBA212FAA2F721FD4F62C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:54.917{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAD9EF2EB4F4DEF6255BA24C155BB3FF,SHA256=12E0491443C94B8EF0511D8C87EA32806C1AB5A4C674152F423F1CCAE32545A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:54.526{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3FDF951333AC915B852BF9019EA2273,SHA256=0A8FB1E27DB58B245F8B9175D006FDDB3E67522FB2ABF93A2A27F3E489E4009C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:55.542{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BF13DC524876F5CAF03C3730574A34B,SHA256=BC6A7A347D26817EC1571A856373B98EC2DDBA5CBF8C22A072AA814AA677C3F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:56.573{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73696063DA3A839360C5066249C51F49,SHA256=6564C9B4709CA4D96B49E8962F99C9E985FDC157EFF7F9A603147425F918596E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848696Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:56.045{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22879C63153C9FBD93E587A422230990,SHA256=22796232A7FF0DD08F52AB6073EEF063D188C5E70ABD50CAB541978A0D793BC5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:56.136{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75AD1C4D1381C51221A49EC514A8B84C,SHA256=468D5F281617CE2030BCCB63E57506F9FCE670797D263AD94E3AAC23FE1C3FFE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132720556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:38.198{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60106-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132720560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:57.620{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3430969E3B46228CD43BBE2E9BA82C3,SHA256=7DDDE1DCF2CD37C1BD3386A9328E819A1F606D0E2822460CFC97269686FBA5D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848698Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:57.060{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=075E204A91F5497EBDD5DF4B949BD771,SHA256=57947E54F0D5F42EE3A04B573A3C4136808D5E1223BB854D8EFBDF738FF9B529,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:57.214{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E9817EA510942E8FF263925BA0007CD,SHA256=273D94D2722F178A87BC6C6E5EF3FF1ADBB14DB415740196E742C4F0692059B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064848697Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:54.798{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52921-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132720562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:58.636{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE5976CEB5B999CD8F4613C37E0343B8,SHA256=E16CDA03CC7250C8A1508F4B6272B8F5A884F7281DA5A4F6F047FD9BD326CE59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848699Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:58.130{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D71E19386F6242E19E7F37B94C238C35,SHA256=7C13A26326310154232BD8FC13E9B65542EE73B5211F58D591F8B3AAAFD62CE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:58.558{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEB12FC14E8CBBC1058EF4F4569DC071,SHA256=B63786D4B0BEA3E08BA5B82EC0B531E3D5471FAC943F0349561992C86AFC8761,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:59.667{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCFB1AF9D29FBB68DCF0BBCCDCB6B62A,SHA256=DD930A4C579FA7861C6685BE84D64D04FAAEF38C2B9B804C845B33EE072F47DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848700Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:59.360{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF7E306882543ACE0BF17B8BA0388E4D,SHA256=B6D8508483F170130C88787CF52C2348302DB937DBC1D979129B2564A50723C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:00.683{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75C013707049DD6EC17B0CD5E3653525,SHA256=22D47DE3CB22D682D258AB588F928004E5F32D4C51EA541B735226DC981A9FF3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848701Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:00.475{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E83A0C842291FF20B27A0902E713B980,SHA256=47FFEB1493B6494F545BC2B8D6CCDB095EABAFB855E72948D5ACD438B32EB9A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:00.026{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09802A244F2EF0CAFB59552FE7EEB628,SHA256=50FE6B93B1693D6A0CC92053A560BEDB89B7FE051C34B0FD449ABBC95F8C652C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:01.698{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9827CB4016A29C7F108705E6B5F6B399,SHA256=D48EE4AE6EF9CA5EF6C47C34927EFFEF5F61D44817ABF33F6EF1C198BDF5B2F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064848703Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:43:59.811{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52922-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000064848702Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:01.492{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCD365CBC449E0139CD911499A49D607,SHA256=33063C6DE2802E96A567E66559149799AD8C750B0A8AAB191EF53C52CA00DB4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132720567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:43.213{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60107-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132720566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:01.058{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=096AFF92DDAF7ED39DE89B458E0B02F7,SHA256=6D7E6746A61F38419AE7DB4CC874F9A203DD9FE44AE6106B56057D7FB3F8EFAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:02.745{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=333999C5D096EFECA209897AE0838D9B,SHA256=DF3C3445371CE7B20D3F30A6A5555114330A2FABE06024B74BBD00A1F33E62A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848704Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:02.595{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17388CEA2EA05F5FCEB441A1AAD8D590,SHA256=11C37750455AA74F8E107B682F245E595CDD4D57AE05FCFB37F8315A397B3AE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:02.261{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74A54E714CDF56D07F698A251FE3D9B1,SHA256=D21E6B6D4832B62323095DFB2398E07EC230A34471B741571D7F4FE8845E8035,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:03.776{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5554CD82D35828B9ED7485325C16A96,SHA256=BFC4E333EC24D9AD1B84A0886C4D7D09735DE4E460644DEDD3F3991A999AE01A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848705Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:03.726{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB5FCF8ED9435397CF04A59C84192907,SHA256=9F01595683765D821D1CB2E7637857ADAFDA6B5982405057528CB886C1B98626,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:03.464{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A1D79517C45D5D890D89EEFA1E5A339,SHA256=A7B2AC4850DA18036F64E0647FB04019B60E9A04616380AC298749E5A684C6ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:04.792{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30288EB8C86674F661F0DE4E10762588,SHA256=E66E6A340276E2948925A4AE6CFFFCB47654AE6B95146894ED8DC0E1CFCBC3D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848706Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:04.741{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCE857D9EB8A4B6B43C1AFD5041A3EE2,SHA256=1DDBC33E7249DC0D8758730D0AAE1042023379298AFEEDBD44249EC0D2AB84A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:05.823{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CB2C23BF4F1306D8BD5B8064BF97A64,SHA256=1BDC93E9FF582D6A94E51436D4E84EA3A35309EB940CC0F5D4854E5595828117,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848707Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:05.842{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4405C4B4A95D47555511A665F2BD4FFB,SHA256=1BDC7BAC76007CE04D9B5EF2B2200366ACB4FF1F6421C82DFBEE154355EB9DE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132720575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:48.260{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60108-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132720574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:05.011{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=657F3FB671BCAF2FBD532C062F9F1673,SHA256=1662F9B95A9835E219338238F2A325237E6FA5BFD27D762CC1250D431DB8A55C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848708Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:06.973{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E74C4FDF903096D24703DFD2C3F6389,SHA256=5331224A6957AD9617655580F842F091A4B64160A8B80F2EEFDBB96AD60CCC6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:06.901{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F53FE28CE227987D624C3DFBFB87C72,SHA256=1FAA40CD83FF7EFCDA1E14B51E44C4CA523792B99D8301D98F33434138BA9A15,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:06.089{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5B7F2705EEEC1CBF5AB61C3A1C0D874,SHA256=3BEAB3C0213C054C8F5F537592394B9899580A5C48E00B93F5A6275C3425BE30,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:07.917{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB70E4EF8D6AEC4A3E7E02901133B583,SHA256=40451B5A9A820C4933E93CACBFE0F7602A19E858EB01265A2732DAD7DE4D9CF6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:07.448{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7566B999D98CEF5D87E2B0226A12AB1C,SHA256=6587E8CAD353F8790A62DB8162748AA37851F826D88CDB89DA87374D050719CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:08.948{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7576E108698A351F65F585FBF3BD791B,SHA256=FB04CB63A767132BEEE4639FA4F2698777A4543614604546EBA3E82FBE6E12CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064848710Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:05.825{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52923-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000064848709Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:08.090{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02BDD0E723E8B5EC9897CAC5BE904FAA,SHA256=8FD14B5E3BE1AB7F443FDE8D2AFA8623D0BE78D237DCE2786AE26D51B088B936,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:08.558{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F566DA6E343D01423C8E6DCCB2522A4,SHA256=622982E996F6F811E26DF996660ABDBAF3C619C6236F67F587914FB3212F48D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848711Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:09.156{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A97ECEEC63A04CDA73AB34A1DA96F2E,SHA256=4AB43A172A7B92B7B5BF5511B8372ADFF78769B4BBD2904D4BFCA0EC6E4BA4FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:09.679{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58BFD1B49F75E379B5DC87D9614AFEB8,SHA256=0EE0301A189411D8A2C3B865C2BAFC3BA89F174C0442D219EB2DBEE3340A659E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848712Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:10.172{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3055368724ECCB76B94FD3332DD2E829,SHA256=FC6C9494D88DF6959CD1FF5539529FB19E7C75BBAE069FB30C1D51C45D0466BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:10.179{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=273624160130375F5C0F98196BF0E741,SHA256=27AD8E5BDBA17422C430B524B8C0512A73D27D0980D961A7C4715336B0E2110E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132720587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:43:54.115{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60109-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132720586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:11.210{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=886D9127AE12A58FD865ADD1E6969B45,SHA256=44C19802E311FB1031928AED10F973FE84C04E3FFFB69CA0AD13E61166029A36,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848713Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:11.209{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06EDEF40972679DC035B18CC62D5A86D,SHA256=17D22B10715E91CA3939C78A2AFEC084D2B330E0D41B012A9148C03B6A4AE355,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:11.101{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7CBC163F0BFE2E9B45D6C3FE04F7F54,SHA256=DFC985B82030407433A9EA9BB972576B8D5EF3AB868663764225066CA22C90F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:12.351{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14156311D58D4DE3BE0AC3E994BD602C,SHA256=4C198917E7639B0CE88E05264E5CD5B3BF47A9054D6B6A99722103296B75CC8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:12.226{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F9EF385E5C28A060A74B9183CBAF54C,SHA256=351C502C7E830F2A5BB6B8A42ACF4CE90AEBA6F163642DA0746B9BFFC8E81C1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848714Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:12.211{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E781641E8428D5B15573DC4C53EC9B47,SHA256=91E85BB7578FB619EB50C6A3347CEA49E0210B70730771B4B97A383C386CC65F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064848716Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:10.839{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52924-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000064848715Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:13.225{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A0C47C43014E58B9499DC996E5CE0A7,SHA256=3600AD9428C8B7116AB2224FC216C197907D66859F1BB41B28245501539375FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132720647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.663{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000132720646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.663{3BF36828-539D-61BA-6D09-01000000CE01}2308584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132720645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.663{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000132720644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.663{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000132720643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.523{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000132720642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.523{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000132720641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.523{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000132720640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.523{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000132720639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.523{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000132720638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.523{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000132720637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.523{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000132720636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.523{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000132720635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000132720634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000132720633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000132720632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000132720631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000132720630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000132720629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000132720628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000132720627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000132720626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132720625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000132720624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000132720623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000132720622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000132720621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000132720620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000132720619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000132720618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000132720617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000132720616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000132720615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000132720614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000132720613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000132720612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000132720611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000132720610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000132720609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000132720608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-8530-61B1-3C00-00000000CE01}36683688C:\Windows\system32\conhost.exe{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132720607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000132720606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000132720605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132720604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000132720603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-851C-61B1-0500-00000000CE01}4123064C:\Windows\system32\csrss.exe{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000132720598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.507{3BF36828-852F-61B1-3500-00000000CE01}25683752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000132720592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.492{3BF36828-539D-61BA-6D09-01000000CE01}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-851D-61B1-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000132720591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.491{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=428A197F15F9717452A2D88D37F60745,SHA256=62DA11E50AF90204E73BE42E1A45539697B8BCC0F60D5F0595F89EB2DAF1DC55,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:13.241{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13424A387E8B51CDE8CACED732952135,SHA256=C2536218D1C93A4E5AD25915B54BBBF8234A91C83C02332B11FB4C7712DB132D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848717Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:14.256{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A6799DB9FCEAB5E6E8C1B8E233A5005,SHA256=DB7E0EED818C0D6E573C7B3B7D7384C892125767B4DB4A7D79D715BF3780EA7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.960{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4CEA4298B70903B5678F154F0BDBFAD,SHA256=8E36971611D2C22E6FA14B2614B32DC56811ACDE1C8E6551D67C3D7791F1C27D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132720764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.898{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000132720763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.898{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000132720762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.898{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000132720761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.776{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000132720760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.776{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000132720759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.776{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000132720758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.776{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000132720757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.776{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000132720756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.776{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000132720755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.776{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000132720754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.776{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000132720753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000132720752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000132720751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000132720750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000132720749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000132720748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000132720747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000132720746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000132720745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000132720744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132720743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000132720742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000132720741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000132720740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000132720739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000132720738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000132720737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000132720736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000132720735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000132720734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000132720733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000132720732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000132720731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000132720730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000132720729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000132720728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000132720727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000132720726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000132720725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-8530-61B1-3C00-00000000CE01}36683688C:\Windows\system32\conhost.exe{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132720724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000132720723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000132720722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132720721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x8000000000000000132720720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-851C-61B1-0500-00000000CE01}4123064C:\Windows\system32\csrss.exe{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000132720710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.757{3BF36828-852F-61B1-3500-00000000CE01}25683752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000132720709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.747{3BF36828-539E-61BA-6F09-01000000CE01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-851D-61B1-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000132720708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.741{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=189E2ADE6A4A8C68434116A1C3832076,SHA256=C91A0E1AD382A6384FEFCEAAC4E34149D9542A75C91FD1EE5CD379A9F8F0E233,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.679{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8186F90FF78A1A3390A7998270A93610,SHA256=C328C3DE7A6EE6E138BB89FDF4819A1A1E2601137FC7C76737C1414C7626B785,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.460{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69C6FEEC727B64A20E9A60C0B26B8DF3,SHA256=5202424FD1B5B7BD000B6304974ADC0F42886A2046D8CC5C655B1558D90CF83E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132720705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.398{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000132720704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.398{3BF36828-539E-61BA-6E09-01000000CE01}18884564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132720703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.382{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000132720702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.382{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000132720701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.241{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=370AAF5DAF5115817CE4F722C68A81C1,SHA256=F942100B8C70FB44D969D41850B87885F4A8381C35E2D3C728220396506E2B24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132720700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.210{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000132720699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.210{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000132720698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.210{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000132720697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.210{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000132720696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.210{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000132720695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.210{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000132720694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.210{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000132720693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000132720692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000132720691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000132720690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000132720689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000132720688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000132720687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000132720686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132720685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000132720684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000132720683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000132720682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000132720681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000132720680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000132720679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000132720678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000132720677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000132720676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000132720675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000132720674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000132720673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000132720672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000132720671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000132720670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000132720669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000132720668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000132720667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000132720666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000132720665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000132720664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-8530-61B1-3C00-00000000CE01}36683688C:\Windows\system32\conhost.exe{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132720663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000132720662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000132720661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132720660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000132720659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132720657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x8000000000000000132720656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.194{3BF36828-851C-61B1-0500-00000000CE01}412528C:\Windows\system32\csrss.exe{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000132720649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.179{3BF36828-852F-61B1-3500-00000000CE01}25683752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000132720648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:14.180{3BF36828-539E-61BA-6E09-01000000CE01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-851D-61B1-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000064848718Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:15.271{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66E30B1411FE32B508C8F5999A0A309E,SHA256=82984DC96D4321F63094A847AD003543117BBEE8D0F658232B0B5D71E54A552B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132720888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.976{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000132720887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.976{3BF36828-539F-61BA-7109-01000000CE01}2116172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132720886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.976{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000132720885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.976{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000132720884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.866{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000132720883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.866{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000132720882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.866{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000132720881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.866{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000132720880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.866{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000132720879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.866{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000132720878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.866{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000132720877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.866{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000132720876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000132720875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000132720874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000132720873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000132720872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000132720871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000132720870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000132720869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000132720868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000132720867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132720866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000132720865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000132720864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000132720863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000132720862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000132720861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000132720860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000132720859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000132720858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000132720857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000132720856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000132720855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000132720854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000132720853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000132720852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000132720851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000132720850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000132720849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-8530-61B1-3C00-00000000CE01}36683688C:\Windows\system32\conhost.exe{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132720848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000132720847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000132720846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000132720845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132720843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000132720842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-851C-61B1-0500-00000000CE01}412428C:\Windows\system32\csrss.exe{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000132720834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.851{3BF36828-852F-61B1-3500-00000000CE01}25683752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000132720833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.840{3BF36828-539F-61BA-7109-01000000CE01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-851D-61B1-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000132720832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.835{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72D72D58455BCDB1A60EF2414A330719,SHA256=201B3F1980F513F357C3A64B8A645F05A1D563540D756F1C400763A213A7AB84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.616{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD8ED15A0E134D492E6EE63F368C6657,SHA256=C91ADAC889D3AEA124BC3013D78DA827AF18421B82C51425D31F2873EA929E4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.554{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23252299FB2F352EE956FA560AF006CF,SHA256=95F5B294FC195DB627AFDAA05083E4B13D32351060C7A7BDCA933EB08645958B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.476{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90F94B8A6C20708D3E3F71587CAE90A3,SHA256=D398D2A04C3CB5C5393CC9D7FBEE7F630F50A569429ADCDBCBF40282629CB541,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000132720828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.460{3BF36828-539F-61BA-7009-01000000CE01}19964116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132720827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.460{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000132720826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.460{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000132720825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.413{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8CCD1A07B9C2369EC6739F59687A38E,SHA256=7D510CA7B14F9F612D0B0666E84824288BDB45E0DD40B717D06A358A60876038,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.351{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F343C2C55C7A050CEB958517A305A0B4,SHA256=9046FB4CFE567C746D3DB42B92D91D5D81896CEB18C5517578B65EBE8D873DCB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.319{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A4D6D4F6131C66C56447A65D67F00E6,SHA256=71F137B39E9286C498ED0F013E36225DE0C47844F436DE8D023F25C60ADF3E43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132720822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.304{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000132720821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.304{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000132720820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.304{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000132720819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.304{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000132720818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.304{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000132720817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.304{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000132720816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.304{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000132720815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.304{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000132720814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.304{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000132720813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.288{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000132720812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.288{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000132720811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.288{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000132720810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.288{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000132720809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.288{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000132720808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.288{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000132720807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.288{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000132720806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.288{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000132720805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.288{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000132720804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.288{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000132720803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.288{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000132720802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.288{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000132720801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.288{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000132720800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.288{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000132720799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.288{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000132720798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.288{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000132720797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.288{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000132720796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.288{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000132720795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.288{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000132720794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.288{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000132720793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.288{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000132720792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.288{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000132720791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.288{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000132720790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.288{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000132720789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.288{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000132720788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.288{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132720787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.288{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000132720786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.288{3BF36828-8530-61B1-3C00-00000000CE01}36683688C:\Windows\system32\conhost.exe{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132720785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.288{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000132720784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.273{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000132720783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.273{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132720782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.273{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000132720781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.273{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.273{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132720779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.273{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x8000000000000000132720778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.273{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.273{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.273{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.273{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.273{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.273{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.273{3BF36828-851C-61B1-0500-00000000CE01}412528C:\Windows\system32\csrss.exe{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000132720771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.273{3BF36828-852F-61B1-3500-00000000CE01}25683752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000132720770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.267{3BF36828-539F-61BA-7009-01000000CE01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-851D-61B1-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000132720769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.257{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A890E3CEBFDD0A93118786938F6F5A70,SHA256=E1910CD5DDEA038ED535D50809366015B52C1EFB9344C13913F5BB6A72ECCF48,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.195{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CA6385D2794190CD274FC97CBDF51F3,SHA256=72031555BAB02697E6D7A752A0EF68CAAD7A788210746A5A0308025A14EA259E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.132{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CD54F3CF015FAEA3FAE5A419618DC07,SHA256=F6854BF23B126E9228A3ECA5E76FB8D5256E4444CFBF193A1CAD89598837C88E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:15.038{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=897B8EE4A160EB55936E9CEB44C3FF7E,SHA256=C703CBCE4D5210621DF6FDD721654B20B316892F7E368CCCA6D9C6947F662BCD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848719Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:16.288{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E30D2D8216814B31DCAA122F7C0D0615,SHA256=2565184094B9C3A16717AFF2B82C2CE6CDCEA64CFD4912BFAF63D01F8C3C2F27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.929{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA7DF4FB1B717D11BB93D9D7B38D868A,SHA256=14005599E4E9498A89A4634581DEFA4007D7522227A8679D4C231D7A3DC4C55A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.866{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1ED21BE88943A9DDD56FEECB248189F,SHA256=1A7FDD9F4404026291D974BD71DD40207A39624A1431F181CB31C62F6B6E2005,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.820{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE4E63075201DE0AFF2686840301631B,SHA256=42DE6C0E5C025B1F45E9FF807D499B21C1F2FBC86E532EAA00C1AB2088378D98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132720951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.710{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000132720950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.710{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000132720949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.694{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000132720948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.554{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000132720947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.554{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000132720946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.554{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000132720945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.554{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000132720944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.554{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000132720943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.554{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000132720942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.554{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000132720941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000132720940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000132720939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000132720938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000132720937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000132720936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000132720935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000132720934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000132720933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000132720932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000132720931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000132720930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000132720929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000132720928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000132720927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000132720926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000132720925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000132720924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000132720923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000132720922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132720921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000132720920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000132720919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000132720918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000132720917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000132720916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000132720915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000132720914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000132720913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000132720912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000132720911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000132720910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000132720909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000132720908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-8530-61B1-3C00-00000000CE01}36683688C:\Windows\system32\conhost.exe{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132720907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000132720906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000132720905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000132720904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132720902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x8000000000000000132720901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.538{3BF36828-851C-61B1-0500-00000000CE01}412428C:\Windows\system32\csrss.exe{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000132720893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.523{3BF36828-852F-61B1-3500-00000000CE01}25683752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000132720892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.523{3BF36828-53A0-61BA-7209-01000000CE01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-851D-61B1-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000132720891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.507{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98221F4473EC0EDAFA988B5319AD666A,SHA256=28F04488B4BCAE971815D5821FB0FAF7D68BB51828C55073F559E3505A97F29D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.194{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1741712CEDE55CC42219E0F7534251CF,SHA256=5167EB732BA72BB1C89E95301D922656A401E7144E9823F022E526CF137888DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132720889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.132{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A429B5B907849C7E6FB7509FBAD931D6,SHA256=84F65D1FBA89FE63A1B98E121987175A53E5D039919F6E3662E8F2763AE210C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132721015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:00.099{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60110-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132721014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.538{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0966553F94D910A7A2BBA48E62A99C9A,SHA256=8F6DA726035C0D6F75B6894A8F7E425849A2927EB442B2563C5D7BD09D3E3251,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000064848722Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:17.339{B81B27B7-200E-61BA-DB00-00000000CD01}4832C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Roaming\Mozilla\Firefox\Profiles\ih5iuvko.default-release\SiteSecurityServiceState.txt2021-12-10 17:12:46.982 23542300x800000000000000064848721Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:17.339{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Roaming\Mozilla\Firefox\Profiles\ih5iuvko.default-release\SiteSecurityServiceState.txtMD5=81CD4D352126835438A147A292C87690,SHA256=DD25D83A0F33C414BA7D737316222C4E2C6C7FF39B52D8031B1C5132782824BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848720Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:17.323{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C14BF685419E4888F84DCCA3373A62A,SHA256=4E8533F7942F04BCFF353C0E86057AE0DACEEEE4FB84334AF63E81F42A5EB18C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132721013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.257{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000132721012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.257{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000132721011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.257{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000132721010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.226{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87B3C063BA034B5EAD3AFAF902FD6D51,SHA256=8098EEDF41182071008D2110A914E24B6C64A03D9ED5E2C7DF81788EA1959EFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.163{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BBB7B8FD1DE70E97110E1C02FAE04EF,SHA256=52167CF880FB5B4113D3C6CF1304C30990BD385A808CF3C1C774C7C879E3F7A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000132721008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.116{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000132721007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.116{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000132721006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.116{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000132721005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.116{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000132721004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.116{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000132721003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.116{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000132721002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.116{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000132721001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.101{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000132721000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.101{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000132720999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.101{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000132720998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.101{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000132720997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.101{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000132720996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.101{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x8000000000000000132720995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.101{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000132720994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.101{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000132720993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.101{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000132720992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.101{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000132720991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.101{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000132720990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.101{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000132720989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.101{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000132720988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.101{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000132720987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.101{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000132720986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.101{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000132720985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.101{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000132720984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.101{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000132720983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.101{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000132720982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.101{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000132720981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.101{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000132720980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.101{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000132720979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.101{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000132720978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.101{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000132720977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.101{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000132720976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.101{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000132720975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.101{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000132720974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.101{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000132720973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.101{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000132720972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.101{3BF36828-8530-61B1-3C00-00000000CE01}36683688C:\Windows\system32\conhost.exe{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132720971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.101{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000132720970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.101{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000132720969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.085{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000132720968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.085{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.085{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000132720966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.085{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x8000000000000000132720965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.085{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.085{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.085{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.085{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.085{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.085{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.085{3BF36828-851E-61B1-0C00-00000000CE01}8405348C:\Windows\system32\svchost.exe{3BF36828-852F-61B1-2700-00000000CE01}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132720958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.085{3BF36828-851C-61B1-0500-00000000CE01}412408C:\Windows\system32\csrss.exe{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000132720957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.085{3BF36828-852F-61B1-3500-00000000CE01}25683752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000132720956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.078{3BF36828-53A1-61BA-7309-01000000CE01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-851D-61B1-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000132720955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:17.069{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3A40B5803F6E2FD63FB852D00FBDBBD,SHA256=4B38C6CAE40D2919CC917D1AB0010150A41DD3B533DDDF5ED4B1CA4BD70FCF2D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:18.632{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A95F2B77B73FC3F214F6EE959C8EC503,SHA256=6473917F553B37497E5E9433C527CC6FC6F2397A1DC1B7F69D2FBBA4221A2535,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848724Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:18.324{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79F24FFA71355AF644D201F5E381A395,SHA256=BA5ED1CC847B4F59DDE396258FBB2FF14CA716566F2A841A69817B4945390347,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:18.210{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DE55F5656D39C8A8FC8228F00981DE1,SHA256=1E69E53C0702A270A7C25E5EDE084DD9A908940B75F911DE36A10BC9695811D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064848723Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:16.853{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52925-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132721019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:19.648{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A11722A0BC915C37A445FFF7B9472BB,SHA256=392BDC4FACD01CB4209B0FF75F81AC773C0C97B64A79FB73115D24B12305C8D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064848726Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:18.006{B81B27B7-200E-61BA-DB00-00000000CD01}4832C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.15win-host-987.attackrange.local52926-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 23542300x800000000000000064848725Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:19.325{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CCB7CCD0DF2E4629F28E846E82D1FD4,SHA256=B072D03C0DB356823DC93D7F58C023EF54EEDFC1FDD6BE5CA721BF558F5F2849,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:19.460{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=199015300319B9CEC9F281B9F29A3CED,SHA256=3D93079548EB457F6F38EBA6B8132A9F438822C2B984F73F8F9EA885018D469C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:20.819{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D22FB8E2DD525EAF9D6933974216DA81,SHA256=56E99C5C6FAD56BD4CD48710438CC92B8DB87D00BCDA73744139BB15E4630631,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:20.819{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C469EBA7B625BE4F5E2873EB3F8D1B91,SHA256=903C29613F195BA98E317EF5FD18F88C238A233BF6D75FB332D124FEDA92AB7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132721022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:02.398{3BF36828-851C-61B1-0B00-00000000CE01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local60111-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000132721021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:02.398{3BF36828-852F-61B1-3400-00000000CE01}2388C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local60111-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x8000000000000000132721020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:20.679{3BF36828-852F-61B1-3500-00000000CE01}2568NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848727Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:20.425{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A51A0BB380A36A35E886D891E16448,SHA256=8849006D6D024C72E1A4D6B21ED6A8595D403E181FFFE58A78BD761347B66ED3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:21.960{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2AD71DC7AB132A44A0D727EC7756DA55,SHA256=AAAA47C1119266AD74D9C12CA853B4396C9892191A069754136F58679F8F316A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:21.710{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77DF6E5944032B77EE7E497BB1BF46C9,SHA256=752E46E6EAFBA5B748B39C07733E35C9AF9D0B58AA12EF92D3BD55DE45698452,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848728Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:21.656{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09B2208F23A52AB424D1E1A7D67E2402,SHA256=0240634BD42EEFBCEE0A78D93C6F9E88E15DB9CA1D1D08EFFA3C0DF9589D4CDC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132721029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:05.131{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60113-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000132721028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:04.709{3BF36828-852F-61B1-3500-00000000CE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60112-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000132721027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:22.773{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E3AE54EF2D19D12AED451B1F215A164,SHA256=4A64EB4FAC69601CC19966BCF1EB640B90FBBF7A61E2170559287DFCA98D1F10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848729Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:22.687{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=996F0EE798099F3F4390CF8E5707A8F9,SHA256=F3BD346D672B09ED06A41BB2512010D160ED797A762FE06AF6B1CC6E5AD3AEA9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:23.913{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C6C16E7220DA3F1463C2B55A37537A,SHA256=E395AF49AF8B05C44C3912287B2567132F33D47792A77E99BC4965DE86AF63F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848731Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:23.922{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=232D16B0130ECD0494F95B234227BD91,SHA256=766415D64AC984B3A8A3251056953515EF25931C68B1915DE6B19176B78272FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:23.116{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=776392F31EAEC49326015DBE5CE418EC,SHA256=9EA16AEF8AC8D5FA2F177DE0C3F0CAE82EC4874E58E08F13BE944070622EDBE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848730Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:23.207{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\cache2\doomed\8316MD5=98A88317470A7FF278B97A5CABF1921D,SHA256=E919F592733823A68E8E98C6172786F3BDE089CE3251A3F42C873F9F835E5F1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:24.929{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E65B956D0A1B3BE4CB81AB626DF87FEF,SHA256=B01B7BA429EC25BFACC3CC90284086077E441FF4C57244AFDF1A3C69F75025BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848733Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:24.952{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B8C0D1A643BABF5E0D5B9CA05B32AEA,SHA256=610AD2DE7E58FE8C035AA659CBD334FBBA8BC6ED6A955F34E76B9BBA2CDEFC9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:24.148{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F041419BD19E990D34D4342C12D4E4C8,SHA256=B332289D70E34997890931A0F5A2ACEDC4B0C0E4F7D74D821494A8CEFF3901A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064848732Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:22.837{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52927-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000064848734Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:25.985{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB7084B19A95E575E66B391C5229763F,SHA256=621E4C71DED31536E9E5A920087BB0C80C285027CE0B0006D547970922AF17D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:25.288{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D8A4D6E5AB9B7D48D64CF5FD8A540FB,SHA256=AF2CB53F06331C3EF4665AE11D84B3761213AFA241F93A62D36490CCBFE4CDD5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:26.460{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FA5F3F7016FDDCCBB034852EDEBDFB2,SHA256=DBDE189D411A8E36319CBDFF8C3CDC2B5E6B55B7EFC826E37C04489AFFFF0553,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:26.054{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30E195AD9CA4EDB6956BA9BDACC66342,SHA256=4DAE07FB787F52CCCAF2FD098F43221A3C1995410AAEE897B6F582BA8FDE1D1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:27.710{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E518F59AF3A6ADDF0C7585BAC7BDBF7,SHA256=49E47418129F4BF14B52B29B26823E9B7C9CAC5F6966D54D327D7255885B9F2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:27.132{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66E590BD7BBB1FA4176A5CCFC423A175,SHA256=789BD06A71DC7922924069BF6D6699B99C0F5EC0579CDB09117C7BD4D5A6582C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848783Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.687{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=B50CF628E0082A7840D84D0CBE1CAD48,SHA256=544DF79BCEF9DC8E082021E342C2A1B12CD0B8BDAF3687E0F23785406EDF33AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848782Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.687{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=F130C472E963FF3CEED251C65964B927,SHA256=E5D2A5BBE8AA43751EF7F7BC3A817A0963D56272A4C9B6055E60929606186CE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848781Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.687{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=5F93E0F827909390D257EBB27C77F392,SHA256=5BCB684F3EE3B2EC2F4945655FBEF281C487399D6BF90451647DB1761715D4C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848780Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.687{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=9275B832091D9E3BFE50898A3BE022B5,SHA256=38C52A5435B625083000A054489B95E033F7B352377510DF668CEE749DE5803E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848779Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.687{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=8AC8A05028631170937EDA4CF0E0A35A,SHA256=456AB2C0E4E117D62DC529362EB22C725D410098868442729ADE5E4FF0822E78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848778Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.687{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=7BBA9B83F0F213C5A723209D4C9962CE,SHA256=E1B8E7DEB0F34EEB6BF4D10E47E734A1FE829C365DF360B98646D7E11F2DD4C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848777Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.687{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=16BF2AA546411BA25DC80EA288D47143,SHA256=524EC56C023155C7BE4C84D5AEC4FE2D85DFBAB3C2FA27F82BCD35028D546F83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848776Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.687{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=69EE5B232870704AFCC0E8957AA42A0F,SHA256=EC8DF5279022B68C0B542EC1688889374754106DFADBF7CAF8337E3F98865941,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848775Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.687{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=83BCEF27E5B36115C2ADBA73CE9A7D2B,SHA256=3F68B0FEFBD484094D6517761B2DC13C6A430DDE3B44FA6CCACA3E39052D2AAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848774Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.687{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=177BC07ECED26CEBE0441C318BD35BB8,SHA256=2A816C802C006DF75CA86E1497E4CF05DFB0F07DB0CD31C0EC30EDAF92C2DF75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848773Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.687{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848772Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.687{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848771Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.687{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=538F20818ABCD7D14D8785E5BD02E465,SHA256=1F84EF811BCEC0D7B17DDFFAFB46D55FF147FCED6B4FB7521D7CD13073B6AFF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848770Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.684{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=C5B64C8BE789AB2C6108331FDAB68248,SHA256=F8464E0BAE6DC92F5F34EDE9F7C4D01025FBA45D54A49A32758CF6E09A13BE71,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848769Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.681{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=6DEE1A22226C30A30139F2808EB2EA78,SHA256=3260783910E962E8131886C1E3D9D5FEBBBD371AADD4D0B013E96CC222020EB8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848768Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.565{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=10EE1C177CA457ADFF383FDB2E257EE8,SHA256=3A26C1F02C713E449CD6856B239C21F8541EC8C126A18348E8510B7D0DC92727,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848767Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.565{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=2C845B87F5E89AE0255A1943B4A5D739,SHA256=2774FF18A5604271D04417A2F1947CF60A7AF24B60F05956BBD9C7326F699623,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848766Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.549{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=1D8D1CC7E5B7403076BC65FAE548C59F,SHA256=E9D3A4A819DA3F73983CBD1CAAE21CA22AAAC2D86C44745A8462DA84251D3D4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848765Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.549{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=B0272F5CF9F56F11C856155DC5F40BE1,SHA256=74AB81A1929A8806D559A13140947F076CABA52BF882364C416EF4D8E9B155F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848764Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.549{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=DC6938568B6DD7673AD033919FCBFAB6,SHA256=86F423E55F67ED58A2EAD5DDE02F589074F76D57919F075E52EDF364616FF028,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848763Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.549{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=AC1BEE6C55ECDE1B856CD225892B8CAC,SHA256=E4816EAE9E0044E47C32513DEEFF5E6336A53F78F0AC143A9E8840E90079C2C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848762Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.549{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=6E67807842C9AA484428B57ED1989A11,SHA256=188D204E0ADA92E4E38CBDED7FCE5B6B8D25645266D538F73CDAA0EB0BD51950,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848761Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.549{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848760Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.533{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=FEC9BC354A7EE92C6FEEFE63E6B0FA26,SHA256=258EF8E6994A09FFB54BD0D5AFEC97C13C31F2EEFB7FE90A2A4C487C87817519,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848759Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.533{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848758Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.533{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848757Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.533{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848756Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.533{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848755Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.533{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848754Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.518{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848753Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.518{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=07FF16BA9846838DA27AE094A1B91369,SHA256=DC83AE90504AC11C29876CFC48483976397E899958EE8EDE7F381971A2C2C4B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848752Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.518{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=1B9A162CEB3C7BE8393CE348F35A4564,SHA256=2D6B6351BD1B8C2047DA1854D0033EE6C5CD9F1BFE38C5E1A2B82C86AFE8A598,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848751Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.518{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848750Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.518{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848749Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.518{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848748Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.518{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848747Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.518{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=0DBA6F5178E8433D0EED8C5BB5223635,SHA256=262DCBF46B0C20468B29D2908412070388B9BAAF0AFED3693245F92E61E5DE00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848746Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.518{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=D65C0F2F756552800930D7EDA0264C0B,SHA256=67606ECCDB4FA978F4795C2ABC47767824C6D5AD65C3EE02E0E7445A31CF37CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848745Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.518{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=82E921320B62879B070EBE9D8F1F4256,SHA256=A781BFF04964067CB06EA80DA605A4A2837F7256580693C6DBDCA971D8C9BDB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848744Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.518{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=BB9BB51CB484CC5719D210D53CF37762,SHA256=1903A36C25AEB3C61953484ED931ED52AB4A3BD13FCC38046154A6681472D499,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848743Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.518{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=AFD5A023DF4245E323E53D47A0BF9414,SHA256=FEE63ABE7743CA680B6C96024D9EE023C10F7C9BC1929231A663A55A79EF5D59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848742Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.518{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=80ED9689AB372AAC91B47B347AE5A3BD,SHA256=253E054323EF5921475DD6DFC92942944B17AD7F18FCF851C44F165687F845AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848741Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.518{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848740Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.518{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848739Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.518{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=10DF08FF9D77ACBF8F2BFB88B4BF1E3E,SHA256=4CC64D82E2EE876BA287302C877554B9D226416AF66CDF9C0350DBB845433881,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848738Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.518{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=E1E560A4EAE533286AEA5189E628BBCA,SHA256=0E5F9C474D34A165AF58EFB90E76E2CEDAE8A3E4FC29A6D9B9E2CFAEACD88A0F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848737Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.502{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=1D8D1CC7E5B7403076BC65FAE548C59F,SHA256=E9D3A4A819DA3F73983CBD1CAAE21CA22AAAC2D86C44745A8462DA84251D3D4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848736Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.502{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Local\Mozilla\Firefox\Profiles\ih5iuvko.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848735Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.034{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8928351C6C3330E40CA635288EA60A5F,SHA256=FE4130641745B97E95C17FDA8BF217D8FA7025768F6C68C7B5CD4BCC7072D731,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132721044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:11.161{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60114-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132721043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:28.851{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CC59733D76FE36D89B41C09C5A0523E,SHA256=85360EC960F57C2023D3444427A5B3A55E877DC796FC737185DB126B57924618,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000132721042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-12-15 20:44:28.226{3BF36828-852F-61B1-3100-00000000CE01}2428C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\D370F6FF-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_D370F6FF-0000-0000-0000-100000000000.XML 13241300x8000000000000000132721041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-12-15 20:44:28.226{3BF36828-852F-61B1-3100-00000000CE01}2428C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CA735696-6C26-4910-BF98-1B50C97DCBCC\Config SourceDWORD (0x00000001) 13241300x8000000000000000132721040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-12-15 20:44:28.226{3BF36828-852F-61B1-3100-00000000CE01}2428C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CA735696-6C26-4910-BF98-1B50C97DCBCC\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_CA735696-6C26-4910-BF98-1B50C97DCBCC.XML 23542300x8000000000000000132721039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:28.163{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE8682DCF92C79945496CB7D022D814A,SHA256=42B8CDEF82E3ECE0E7E311251F2DE208E821016CFCD8E64A38C3EA9033E7C179,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064848786Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.166{B81B27B7-200E-61BA-DB00-00000000CD01}4832C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.15win-host-987.attackrange.local52928-false74.125.195.95wj-in-f95.1e100.net443https 23542300x800000000000000064848785Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:28.218{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Roaming\Mozilla\Firefox\Profiles\ih5iuvko.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848784Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:28.103{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAD4E2E71141E0388200AA5E5A52F92B,SHA256=15D363F238E4D31CB78B60B1D30D5EBE8CC9A3EB011AA353EEA519C0E61BC970,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132721051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:12.293{3BF36828-851C-61B1-0B00-00000000CE01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local60117-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x8000000000000000132721050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:12.293{3BF36828-852F-61B1-3100-00000000CE01}2428C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local60117-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x8000000000000000132721049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:12.287{3BF36828-851C-61B1-0B00-00000000CE01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local60116-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x8000000000000000132721048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:12.287{3BF36828-852F-61B1-3100-00000000CE01}2428C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local60116-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x8000000000000000132721047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:12.272{3BF36828-851E-61B1-0D00-00000000CE01}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local60115-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local135epmap 354300x8000000000000000132721046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:12.272{3BF36828-852F-61B1-3100-00000000CE01}2428C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local60115-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local135epmap 23542300x8000000000000000132721045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:29.319{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E95633C938AC9F330D668B2932963961,SHA256=43F4CE5112780EBAA92D7498665786DA60E9F672F200D826032A8D76278484ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064848788Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:27.864{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52929-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000064848787Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:29.117{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4105C2AF328DC1956B1410E86019D26,SHA256=A60D4F9EB7E3B09B4B4E509D71C4F165B95CF23EBFC324BA96EE40881AAB46E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:30.448{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=502627470902D74449CC1E280E90BB76,SHA256=7DD85FB676CE8B9BE9C34E99D1611DA0BD06E72F5D50B3D4EEBB9556AAAC34F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:30.402{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50D75A72C1A824D338F99D9DBBECA786,SHA256=A6E4C231D567398F306C36A939C8B6E836714DEF4C62EC69259E106631BE4DA2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848791Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:30.301{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Roaming\Mozilla\Firefox\Profiles\ih5iuvko.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848790Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:30.301{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Roaming\Mozilla\Firefox\Profiles\ih5iuvko.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=CE42945C5CCE5B245CAB155CEFED5BF2,SHA256=2103262DE501DF2A4A2BFA1DB8C30F52990F205A4979E50D9552F8BF7B18405B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848789Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:30.132{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=884B690B90D97930548F01E23145F901,SHA256=E6AD8C517D1EF20DFA5AFCB85F769291A7AAFA4843C6FA5D4513FD3AB898CC49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:31.467{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F952888C26A3445E3DE3650168DFBD1,SHA256=7897D17B14E9D037188E71BB688252B3B31854827CFFC1A10A45474506DD396A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:31.417{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEC8B7C48CF0E8ABA8BE4D1AF1D15A54,SHA256=133AB5B0FF1B6128526E6D987736DB9D19911721759CB551DF456BD58B8ECBFB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848792Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:31.147{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE7813ADB282540E3B3B58DA658B1625,SHA256=305B6DC714C1F2E6F07D48B536F6188E21B0B399F60F438F2362CCB8FD7A2869,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:32.792{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=552F04550B507596B726EB0892EC1AC2,SHA256=90C30D6B34343F71EDC760038977C4973D07CFC21B0C4046D0520D2F91DA94C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:32.448{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E47D2ADCB749A3437BDCFD628E8936B,SHA256=07FA46BF96771A8F3D15912B68ACAB528E54B151E47F86D6E0C93B92E7D2709B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848794Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:32.599{B81B27B7-1E7A-61BA-1000-00000000CD01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=AACEC1A049773943A463718AB98DBA04,SHA256=68E5FFF5073FEE8E9BB4686A6006E1BB506CB9971C17D0A84CB233917D6FAF56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848793Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:32.261{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=638A9E7C6A669DBC76B45EBA989C3C6D,SHA256=F6DE31909EE6ABCE03F4462FB358683023AE6D589F7FEC2FEA44D20758EE87A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848795Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:33.413{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F7C253BDE8CD69E5249CE6C26A854D9,SHA256=8433C0604A9F9B1999372F2FABC8205FED32B290EDCFD30B3159BD2369C871D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:33.605{3BF36828-851F-61B1-1000-00000000CE01}92NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=AD336771456A895657BB670404D3118B,SHA256=4FB627891841E8097969D9BEEC18A1BBCC4AC04147D518E37AE4E9CD0C73FB4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:33.464{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92BDC8B5EC0BB6F35A86D7F7DB28295D,SHA256=C8F2E24D22D41D89B7A7DD0B10B97FF43FE551A3EDEB0D96F79910F587DF90E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064848800Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:34.727{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1500-00000000CD01}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848799Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:34.727{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1500-00000000CD01}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848798Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:34.727{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7A-61BA-1500-00000000CD01}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000064848797Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:34.428{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11515FDCABC8B41DDAEA99FAF34DEBBC,SHA256=4EA32E18C8A0690E8C2E668786CBF9AF0C2916E44A75C6D811C8645B1BF6C2DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:34.495{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F00B54D21D6604576AAEE05A6C87D5D,SHA256=7AB50ABAAB7F843B99699725016C599191369876A8B09CBA968B3CD4F6D26405,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848796Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:34.179{B81B27B7-1E7B-61BA-2000-00000000CD01}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132721061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:16.306{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60118-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132721060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:34.027{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DB6F517DF1BEFCAD0DDAAA0F4061D10,SHA256=418AE25F61E8DE6CECDCDD675CC96CD611A9F67E198F559D1400F32F7B73FEBE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:35.511{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDC40EBFFF68439682BE0D9177019B22,SHA256=4BF57F3E66DC0414B5C8AF46A538DAB947875D0569FC4DF0AFC0848AE35A8D4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064848803Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:33.943{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52931-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x800000000000000064848802Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:33.880{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52930-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000064848801Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:35.444{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C3DB5E922EE54458116BEF05F00CEEF,SHA256=AFF9ABFAAEED529909C6EA9F3D8CADED3071A9D264641EABCC2914601A87B764,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000132721073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-12-15 20:44:35.261{3BF36828-851C-61B1-0B00-00000000CE01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000132721072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-12-15 20:44:35.261{3BF36828-851C-61B1-0B00-00000000CE01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x2266cb1f) 13241300x8000000000000000132721071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-12-15 20:44:35.261{3BF36828-851C-61B1-0B00-00000000CE01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7f1ec-0x2ef03f4e) 13241300x8000000000000000132721070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-12-15 20:44:35.261{3BF36828-851C-61B1-0B00-00000000CE01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7f1f4-0x90b4a74e) 13241300x8000000000000000132721069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-12-15 20:44:35.261{3BF36828-851C-61B1-0B00-00000000CE01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7f1fc-0xf2790f4e) 13241300x8000000000000000132721068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-12-15 20:44:35.261{3BF36828-851C-61B1-0B00-00000000CE01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000132721067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-12-15 20:44:35.261{3BF36828-851C-61B1-0B00-00000000CE01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x2266cb1f) 13241300x8000000000000000132721066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-12-15 20:44:35.261{3BF36828-851C-61B1-0B00-00000000CE01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7f1ec-0x2ef03f4e) 13241300x8000000000000000132721065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-12-15 20:44:35.261{3BF36828-851C-61B1-0B00-00000000CE01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7f1f4-0x90b4a74e) 13241300x8000000000000000132721064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-12-15 20:44:35.261{3BF36828-851C-61B1-0B00-00000000CE01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7f1fc-0xf2790f4e) 23542300x8000000000000000132721063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:35.073{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFC4135C3EE37E32881AECADD4CDB1EF,SHA256=A67E6E205FC5C282D09C04F8DD71FFCEF66BE69549AB71EEF6B7C2D016D0C555,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:36.542{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=890A91E7DB0F7EFFF09C2A6E33921242,SHA256=2F1B728DE50CC1A2092154DBBCB3588E4BC78A3AB981F9C7C33AB443077B3561,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848804Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:36.480{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5DAD747B75E728CE2F9792C96F5FB77,SHA256=210B809DE6C26338D47693DAC9C092655C5B18FAE4BE7C3FA8B3EB324A2365FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:36.339{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80413E866BD32976C8C6DD64A7510B45,SHA256=7D2450F5B95FD7F005DB41307BF9682CE65352A09542934A0BE92D58D150D41A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848805Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:37.575{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5B9477DF962FD213FF02A097BF542A5,SHA256=72A6A3E3AA752E73D5B39B53135B6F52C1D8BD693FB52DF4049F16FD5620785B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:37.558{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36F280DB76CAB6F8087EA5EE36F00F52,SHA256=45A31EDFCA54F433977F828050B7328A7C7E041BC62EA80807D34CAB4FF5F912,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848806Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:38.610{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DA1F8B83AE77319229B6ED316C55EEA,SHA256=5CFE99BC715472D08617FD74C448211F33D5CA1EE4294F67D455ECB89B9C5D89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:38.559{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A6EB472400D3A0FE675C18F2A265834,SHA256=9CC5EAF003058E54F2E50E3BCF1646DEFA27C5491FCC15C1649BFD41FAA724C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:38.043{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BF81E4CE8A8C1D482D6100540955092,SHA256=AF3D8FE099C2964A6A6AF4E4B5F028E45896E6015695A78EBB3481F2C6DAEAD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848807Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:39.756{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D4176D9958A2A52EFC57092C5429281,SHA256=E123FF7188BC2153B6BF6A31E148D7FC1817417056EE122ABC1A839F793D1181,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:39.588{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1196E2C400EF30E372A72DD2F94B5BD9,SHA256=8092273F863F5ED3478936DF5127AB3265D3EB2D0F676954FC51858FF46186C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:39.244{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA980CAF97B7E452AD3096005E25369B,SHA256=0759B0C88C426FA0340E5D197AB3EB26C0620E7FCB18E27F12020858F9EB43B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848808Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:40.973{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C34A7EEC15CEFD3D573DD8867355251,SHA256=280C7DFA010C2CB5610764DB4929E7B8FFD8741BDDC6576ADE6F1F384489F2D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:40.638{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83FF9AA2BCD446F306B550ED3B2D5E9A,SHA256=4F53A6DA030AB8E8EE31A67352B313E0825660B3FDBEC4284F90832695882C90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:40.372{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DC208238CD9E2B2DE1FFB1F49B137F8,SHA256=346FA43533F9115C951DD8A4EC0148AD20D454F14AD9AC85F45896D060922945,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848809Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:41.992{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A4DA15EAFEE3B37951EEB21A70F4028,SHA256=E80544FC060EE2702C32A8C099ED44AE8A86052034CC41AD7E34554241F4566A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:41.669{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DABFD344B38634F58D2112B504D2E3E,SHA256=DAB9122B33AB573DB4F144E48B4905B08F3664B1DBF557A5CF79502DB979300D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132721084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:22.151{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60119-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132721087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:42.685{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=187C649374D89548A7350195153670E8,SHA256=471A2497CB94A646050A8D5752F0AAE2F4C19290AAECD3C9B8CCF71F3F0643FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064848826Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:42.839{B81B27B7-1E7C-61BA-3000-00000000CD01}31843208C:\Windows\system32\conhost.exe{B81B27B7-53BA-61BA-7907-00000000CD01}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848825Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:42.839{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848824Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:42.839{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848823Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:42.839{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848822Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:42.839{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848821Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:42.839{B81B27B7-1E79-61BA-0500-00000000CD01}412428C:\Windows\system32\csrss.exe{B81B27B7-53BA-61BA-7907-00000000CD01}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064848820Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:42.839{B81B27B7-1E7B-61BA-2000-00000000CD01}11963772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-53BA-61BA-7907-00000000CD01}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000064848819Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:42.840{B81B27B7-53BA-61BA-7907-00000000CD01}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-1E79-61BA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000064848818Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:42.154{B81B27B7-1E7C-61BA-3000-00000000CD01}31843208C:\Windows\system32\conhost.exe{B81B27B7-53BA-61BA-7807-00000000CD01}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848817Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:42.154{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848816Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:42.154{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848815Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:42.154{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848814Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:42.154{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848813Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:42.154{B81B27B7-1E79-61BA-0500-00000000CD01}412536C:\Windows\system32\csrss.exe{B81B27B7-53BA-61BA-7807-00000000CD01}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064848812Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:42.154{B81B27B7-1E7B-61BA-2000-00000000CD01}11963772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-53BA-61BA-7807-00000000CD01}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000064848811Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:42.155{B81B27B7-53BA-61BA-7807-00000000CD01}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-1E79-61BA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000064848810Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:39.877{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52932-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132721086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:42.029{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C6E56291282D4805A2F74ED34A35741,SHA256=A7F91DEBE61CFF2032B4A010E0AF166263089A02AA4165B4A967C0C9167AB355,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:43.716{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F67CF7429C499EDD47BA931FD7AFEDF,SHA256=51E7AEA9CA40CFE6F7D4EF08021705FC2BB9A96A84388BC1A4708E48DBFE1826,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064848838Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:43.773{B81B27B7-1E7C-61BA-3000-00000000CD01}31843208C:\Windows\system32\conhost.exe{B81B27B7-53BB-61BA-7A07-00000000CD01}6540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848837Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:43.772{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848836Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:43.771{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848835Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:43.771{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848834Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:43.771{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848833Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:43.771{B81B27B7-1E79-61BA-0500-00000000CD01}412428C:\Windows\system32\csrss.exe{B81B27B7-53BB-61BA-7A07-00000000CD01}6540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064848832Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:43.771{B81B27B7-1E7B-61BA-2000-00000000CD01}11963772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-53BB-61BA-7A07-00000000CD01}6540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000064848831Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:43.770{B81B27B7-53BB-61BA-7A07-00000000CD01}6540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-1E79-61BA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000064848830Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:43.174{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=944292D0ADB74576B18D16EE4BC14749,SHA256=06D9C64646A9DD046AC2405C979C1BBE2CD4D0A4A13071A68249A5383484C46D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848829Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:43.173{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=255242497111532B5E8C09361C843801,SHA256=0F1656BE630600B9047EB2F6CCE4E72AAFDE5703098EEB8D294492DF04328DB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848828Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:43.023{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF9FBB0FA07F765C501E208B3C524EE0,SHA256=C6D2498D55916F0F82470F2AF1DAC98DD7A582A18C74ABD12F62E486AE9E14C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064848827Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:43.023{B81B27B7-53BA-61BA-7907-00000000CD01}15241008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000132721088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:43.138{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F78890DF866519A48043F37142D3F86A,SHA256=CBF4DFB92F73ADAAACB4A40CCABBC2AF60B915BF03BB7A6EE6FBEEF2D7C2CDDF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:44.732{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00953DCEDF093E91BCB4BA407785DC3B,SHA256=8618488E88F347B7DD825FC7863849B67409F970241A119E4CE98A57EEF6811A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848849Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:44.937{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=944292D0ADB74576B18D16EE4BC14749,SHA256=06D9C64646A9DD046AC2405C979C1BBE2CD4D0A4A13071A68249A5383484C46D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064848848Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:44.453{B81B27B7-1E7C-61BA-3000-00000000CD01}31843208C:\Windows\system32\conhost.exe{B81B27B7-53BC-61BA-7B07-00000000CD01}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848847Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:44.453{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848846Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:44.453{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848845Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:44.453{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848844Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:44.453{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848843Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:44.453{B81B27B7-1E79-61BA-0500-00000000CD01}412972C:\Windows\system32\csrss.exe{B81B27B7-53BC-61BA-7B07-00000000CD01}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064848842Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:44.453{B81B27B7-1E7B-61BA-2000-00000000CD01}11963772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-53BC-61BA-7B07-00000000CD01}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000064848841Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:44.454{B81B27B7-53BC-61BA-7B07-00000000CD01}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-1E79-61BA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000064848840Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:44.054{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=883371FB0050C1323F551D13089D846D,SHA256=3519766ABF5968C5284E37743B4529658C9D3310F2BAF0DE091E4BCBF6A7337C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132721091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:27.214{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60120-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132721090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:44.232{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B067BC50199F15A7D10C3156338498DC,SHA256=25637B16802D50A57BDD556081BE827EA3D004488902892AF8664FEDD560945D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064848839Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:43.991{B81B27B7-53BB-61BA-7A07-00000000CD01}65405372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000132721094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:45.763{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9765559EE5F3EE82A076012FC955E0C4,SHA256=35ADA013FE70B6359AF9DA686DC6AFA78CDDD5704B542388236A3C531E2F30AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848850Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:45.121{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=451AD59154FAD5B7A19ABB76A4A891B8,SHA256=74CB14D032AD6164BF0D30B1687C416F24555796CD0D8FFB9EA26F361EC7BD23,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:45.372{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48C12A51B313A91BCB50AEB8F166BDFD,SHA256=5A47F36D139F8EF9B9F2140D76D9C23C00D1A22CCBF05B071443E9CD581495D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:46.779{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE6EB4C24617FDFCAB6FA4C9A4380CD7,SHA256=2DAED907F2A9E86BE8457D00115829D5D2F6EA89FC9F96ABB2CCC967B17D5AF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064848860Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:46.751{B81B27B7-53BE-61BA-7C07-00000000CD01}15841532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848859Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:46.551{B81B27B7-1E7C-61BA-3000-00000000CD01}31843208C:\Windows\system32\conhost.exe{B81B27B7-53BE-61BA-7C07-00000000CD01}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848858Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:46.551{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848857Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:46.551{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848856Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:46.551{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848855Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:46.551{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848854Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:46.551{B81B27B7-1E79-61BA-0500-00000000CD01}412972C:\Windows\system32\csrss.exe{B81B27B7-53BE-61BA-7C07-00000000CD01}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064848853Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:46.551{B81B27B7-1E7B-61BA-2000-00000000CD01}11963772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-53BE-61BA-7C07-00000000CD01}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000064848852Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:46.552{B81B27B7-53BE-61BA-7C07-00000000CD01}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-1E79-61BA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000064848851Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:46.205{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94CC0A3CD086AE47BB97F83B21649200,SHA256=578E14ACB1AEDB4D2DACB7C9318F3B5F6CC64EAF69B4D18DCD49142CF2F06EB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:46.607{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=547CEA394BC04DB51834B4D0A608F5A0,SHA256=C94F25828559DD3752684B65600FD6CA21AD1FF0740ABF265833E9FED7662CAE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:47.841{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF33FD011CEF935B202F41A821F62C0B,SHA256=82A6F3BB3383944EE99EECB53D52C46ED035731E3F66BCC397721D761D09A5C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064848880Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:47.892{B81B27B7-1E7C-61BA-3000-00000000CD01}31843208C:\Windows\system32\conhost.exe{B81B27B7-53BF-61BA-7E07-00000000CD01}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848879Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:47.892{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848878Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:47.892{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848877Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:47.892{B81B27B7-1E79-61BA-0500-00000000CD01}412428C:\Windows\system32\csrss.exe{B81B27B7-53BF-61BA-7E07-00000000CD01}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064848876Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:47.892{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848875Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:47.892{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848874Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:47.892{B81B27B7-1E7B-61BA-2000-00000000CD01}11963772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-53BF-61BA-7E07-00000000CD01}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000064848873Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:47.892{B81B27B7-53BF-61BA-7E07-00000000CD01}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-1E79-61BA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000064848872Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:47.661{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6074EC20B3C75225DDCF42AE42137D9,SHA256=862E6886D6308B24A8AAEAFF8E009BD58D36C6AD86B8C0014139F102E6FD3C64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064848871Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:47.498{B81B27B7-53BF-61BA-7D07-00000000CD01}21606868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000064848870Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:47.251{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72F6CC8EC7C9A97DDA3743435BE6D603,SHA256=4E6B10C41F88B76D17B706798700D6CED26A1986EAE2B9CC46E15EDBC9C09C75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064848869Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:47.235{B81B27B7-1E7C-61BA-3000-00000000CD01}31843208C:\Windows\system32\conhost.exe{B81B27B7-53BF-61BA-7D07-00000000CD01}2160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848868Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:47.235{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848867Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:47.235{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848866Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:47.235{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848865Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:47.235{B81B27B7-1E7A-61BA-0C00-00000000CD01}7322452C:\Windows\system32\svchost.exe{B81B27B7-1E7B-61BA-2100-00000000CD01}1420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064848864Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:47.235{B81B27B7-1E79-61BA-0500-00000000CD01}412428C:\Windows\system32\csrss.exe{B81B27B7-53BF-61BA-7D07-00000000CD01}2160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064848863Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:47.235{B81B27B7-1E7B-61BA-2000-00000000CD01}11963772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-53BF-61BA-7D07-00000000CD01}2160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000064848862Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:47.236{B81B27B7-53BF-61BA-7D07-00000000CD01}2160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-1E79-61BA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-1E7B-61BA-2000-00000000CD01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000064848861Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:44.905{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52933-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132721099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:48.872{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAFC780F10EEF4D2D9095ACFC1861251,SHA256=DC6E5A6C01683839E9C6E90D4A87EADBB193ACCD3B2DC3127CF5E8B87196FFAB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848881Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:48.260{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6590F588A9384D32095EB9D30C3A4D3,SHA256=EE6687EB1DF05BEC944F79D992B5EFFA13BF6DA5B262BEC31412F4E6FAE7EB1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:48.122{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E0ECD5CBFF704AAF10FDC9117118995,SHA256=63CFD129AF52CB180E9ACE1344B0E87FBEFDA34869963D154DA0EF6ADAA30071,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:49.891{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A986E41658F8EE0CE9DEB3B8CC66995,SHA256=A55B019154AD13EAEE3F28A1E3D6CCC6448FED497D3CE7C37B3E9AF0AE41BD75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848883Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:49.276{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=384DC3CC0D564342543092D7EA48F5BD,SHA256=0A9696E9ED25BFDEAA80A1AE1DB46A82821E93DB7500983AD8CA5431113D72C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132721101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:32.214{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60121-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132721100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:49.169{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B0515D7FFC28E55B634536A5F272F3E,SHA256=8B0CEF5AEF3DC5EE11A2154B2F57D14C3D61CAEAAF895459EDEDA0D2EF63AE9B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848882Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:49.126{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=471424E6EDA30422AA3A7093F9E5E7E1,SHA256=6A78BFE2B999B4D1B413367F2C3933D1A739EA3B27543778BEB6BE055CD69049,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:50.922{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD8B1B688A42B0F9986EA2A2EDB5F86D,SHA256=5BAD7AC9BE9F0B838397DD19DCE51161C0CCAC4A29D4A991E5ACF54D61574242,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848884Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:50.505{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D82B36467CA3E411FA89CCED5A043ECE,SHA256=E0114E1C136CDE271EB2FDABFA438B5FFF49194162608CC1E7961E0202704EFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:50.406{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD522815FD531370976E1E138EBF4992,SHA256=8D5F9B2EF47A53ECEEF7CB33C4DB26348831A029F0C652E682DF988E223FEFF3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:51.953{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9D065E2EDBBB610BB80494AA3B2F731,SHA256=436EC338B95B3036B4135EFA9920AC126E0780673D8D3D5E44401CE9A70EB8A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848885Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:51.523{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96D7277F92EE9007DB3F05010DA2ED9A,SHA256=FB825AB57175CA78DDC357C8809C76E86FF4F203EB9A7D2621E4E64D3FE307E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:51.594{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FBB640DEA63B9956464D79B978A32B1C,SHA256=D002CF7466D7664A0B3F5D19256D54B7136A4673D25D2EE459787ECB7BBBE6AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:52.969{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA70093A73B489670531976423EE2F6E,SHA256=D3EDF82288C144A6080CD232784781036AE6E4469744BBC17DB5C43764AF414F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848887Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:52.773{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27B56C0E82CFBDBE8C0ECB34E5288518,SHA256=8F772E465087A9F31AEC8291E25527EF6CA8DED5D30DF08623115DA5EC22FDD5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:52.829{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A3FE171C51325D55365905AD46EF6DB,SHA256=E21FC9CC0C3168FC561EBD4F5859C956D0788C3D76F4F130498AEC542675B4A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064848886Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:49.906{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52934-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132721116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:53.985{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=592212096C05ADC56A31AB177A84AD7C,SHA256=A27098E097D76E423947DFF8106FD559DD8D508731481C4E102D2B26756C8900,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848888Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:53.840{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74AA04EE88C4ECD9FB2A8AFBCEEB4350,SHA256=5EDA27A943EB6BB9E6E365E66EB51356D244AA0097A046775D6B9F26C7FEE24C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132721115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:35.879{3BF36828-852F-61B1-2E00-00000000CE01}3040C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local53895- 354300x8000000000000000132721114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:35.879{3BF36828-852F-61B1-2E00-00000000CE01}3040C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local50300-false10.0.1.14win-dc-128.attackrange.local53domain 354300x8000000000000000132721113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:35.879{3BF36828-852F-61B1-2E00-00000000CE01}3040C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local50300- 354300x8000000000000000132721112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:35.879{3BF36828-852F-61B1-2E00-00000000CE01}3040C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:c830:191b:83e7:ffff-50300-truea00:10e:0:0:40d6:1f1b:83e7:ffff-53domain 354300x8000000000000000132721111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:35.878{3BF36828-852F-61B1-2E00-00000000CE01}3040C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local50465- 354300x8000000000000000132721110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:35.878{3BF36828-852F-61B1-2E00-00000000CE01}3040C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local54438- 354300x8000000000000000132721109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:35.878{3BF36828-852F-61B1-2E00-00000000CE01}3040C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local54438-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domain 23542300x800000000000000064848889Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:54.886{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E95AF999B6A14F552D62CEF974F2763A,SHA256=02A9A3D52832F4830F84D278D222339AD23F41ABEC995E833543AED6ABBF330D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:54.297{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8BE61B03BF7066069A7F91F790991C2,SHA256=3BBC068A29C0139D8C56221BEBA1E36195A9373313FDB019D9F894C56EA75868,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132721120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:38.107{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60122-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132721119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:55.547{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CEAEE32229C766E54736784554B472BC,SHA256=F7EE1AB55625A247B4E2FCD70DB120AA84267B33A330D3371FE288E6FD36D510,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:55.000{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=691B0E851699DE67E63CB09AD92A78F5,SHA256=58650AA93C5B2B31022161CF5C04A865B251AC220034C793408C58324414598A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848890Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:56.054{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DED386E3C200D1C7EFFD22146F323C5,SHA256=8C5B79B7D0CEA7F039A3DE424F0994672FA5CE402372452BA2A9237FACBAFCFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:56.641{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9D248DB0D54A5B8ED721167F0C3BD39,SHA256=D14F849855529827070E15E1E21C609A26E349ABAC6B8CA90485FE0A101A5662,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:56.047{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DC151657D94807A17F449128C3DCA67,SHA256=935C45F58D9DFCC88E1E0B2D76066BC2229BC9168A71A06A32E72BF158492A2D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064848892Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:54.923{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52935-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000064848891Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:57.184{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BF29774A577032100E8118DAC6A708A,SHA256=22EF85F496228B07FC887F497FC1049CB182BA52C06AE482E4921FEAFA72E59F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:57.844{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06347D4BC30C8C9F9667FACC017885C6,SHA256=B321EB8FD219F57F1CFE4491F170B8773B6B5C65E661BE17856FBCCF616A98CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:57.063{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A498C59B03D642E73F01E9F09776B1D6,SHA256=D47648668BB443276B25A2F53367EE6537A654B8E05BD45004D79D8093F1E6AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848893Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:58.268{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0621B99CD04B6F71840020668BD8D83,SHA256=FBE881A544437A7825803DBBA875F6F6D958B0088FABBAFD265BEE66D47842B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:58.110{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCABCF211FB0331184BAF5D91BCD887D,SHA256=1F778EB9D83BA1A253964AAC0CF236B610F32463844DA3E29F76ABF1ED5A6C3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848894Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:44:59.367{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B0CF6D76D6CE36139563E614E6A7AB5,SHA256=7FDB560304823217EEE4AA17356AB6C1C56B2A62DDFEA5158BC4EFA8BA919F9E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:59.391{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7505E7EEB3050EF5AEF6EA0D09C839F8,SHA256=A2AEAF0B332ACFF952E3D9DE2566E72994585B134CDC7212961D947B9B1E2B94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:59.141{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=892591BBA23F7EB4157D5A7AEDE34593,SHA256=8FD511771FDB6C57C5F4E04E4029F3D32AE853279E48C1BF9D8C00CAF55C588A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000064848898Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:45:00.551{B81B27B7-1FB3-61BA-AE00-00000000CD01}33564176C:\Windows\Explorer.EXE{B81B27B7-200E-61BA-DB00-00000000CD01}4832C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a56d0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802A5A678C8)|UNKNOWN(FFFF89343F034A68)|UNKNOWN(FFFF89343F034BE7)|UNKNOWN(FFFF89343F02F271)|UNKNOWN(FFFF89343F030C3A)|UNKNOWN(FFFF89343F02EEF6)|UNKNOWN(FFFFF802A577EE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a8f2b|C:\Windows\System32\SHELL32.dll+6a98a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000064848897Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:45:00.551{B81B27B7-1FB3-61BA-AE00-00000000CD01}33564176C:\Windows\Explorer.EXE{B81B27B7-200E-61BA-DB00-00000000CD01}4832C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a51b1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802A5A678C8)|UNKNOWN(FFFF89343F034A68)|UNKNOWN(FFFF89343F034BE7)|UNKNOWN(FFFF89343F02F271)|UNKNOWN(FFFF89343F030C3A)|UNKNOWN(FFFF89343F02EEF6)|UNKNOWN(FFFFF802A577EE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a8f2b|C:\Windows\System32\SHELL32.dll+6a98a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000064848896Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:45:00.551{B81B27B7-200E-61BA-DB00-00000000CD01}4832ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator.ATTACKRANGE\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFd05c16.TMPMD5=91CFB418E67AF94384A55DFCE94DCB45,SHA256=9FA9787D4FCC3D24003EEA831DD685578C67A1AA483EDBEC052DC775F1D5A5FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848895Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:45:00.451{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DEC26FDF2FA3C3315679C80B55D7E27,SHA256=0B3A235BBB5C99DB5CB3EDCC0BFD56DB01CEE068E9F4039A3D3241F507D7D787,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132721130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:43.279{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60123-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132721129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:45:00.563{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE6E86F54BA52BEB9EE779BB9E00B0CF,SHA256=F446416E5A284FF3A8B272A81EC0C1D24399777F5EBDCBE67901F8EE992845C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:45:00.156{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B49031D5EFECCE9B02F56DDB83C38981,SHA256=A26E3BE5BED109E8DE6301041F62A01EC1AC4A001BCE86D2F1CAD34B6CE9D454,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848899Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:45:01.682{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFC8D64C50FACFFE3A9FED47D23C1A0C,SHA256=19698BE6A262978B54434894F91721924A566C9C24E1A7A3BF5AEB2EE5773B64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:45:01.625{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2667A9492770DD9A33E41D20C11C1ED6,SHA256=7DBF5C6A5E1B93C517C24D2F5EEEF3EDDA387A8755499C13DBE53BFB307E513D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:45:01.188{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=737CD75B113C237C7148E56FF509ED77,SHA256=A4C88B113C07460093D13098328BE0CBFB77DA8E88F64977188947A342ED200E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848900Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:45:02.837{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=993AB4D82CD7AEC8A92A85A57A4DD66E,SHA256=6ED99603E93B761E4635DF7E8FFBB44E7824A908C9A1543AAB7B93517D4CC041,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:45:02.860{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E15D4CCFF46589BA9C8AABF0914CAEC6,SHA256=FBA7CD7C40FC7EB21FB3384ED936FD3F06CE62323B6A43780C65C21152E88FAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:45:02.266{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5669B7EACB0D4A83FB0FE7D3A720913F,SHA256=7094D46CBFDE0C24BA7FDFD99238E646F318B855A1251EF1812A4FBCC5D1AE8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848902Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:45:03.852{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8FC9E644CC483590C55C626F741FCB1,SHA256=1A1A9F7DB5ECF7E48A53219B8F674BC0D48B2E113BDECAFC101ACA82E64D264B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:45:03.313{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4657DE37105681AF43ABD1E7C9678FC7,SHA256=C796027D3B75B118258F77C9EFB68DD352E9CB66C88E305CDB812E69C0B74535,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064848901Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:45:00.935{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52936-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132721137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:45:04.547{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=833455A75FFFB14F05F6168D6F3773E7,SHA256=9D81FD66E4518E02F72E6FCBC8422B6216B2183BEADC2A00CF636B383432E1C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:45:04.110{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7FF5FA556CAAC32E48EE5F1F5460C46,SHA256=C6B8F10E732726A1CAB9FE43C0949BD32832CB3A79AECB62B1F739B93317D5A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:45:05.672{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E1ADA29B874045C60E4036E7968328F,SHA256=D33436906910002A70E9799BCDE661EA26F214AB80A6224308661ADBA1CF3D47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848903Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:45:05.082{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14C531CD921D121A100490D348FBC983,SHA256=F56E7D4A1B00CBC1FD5BCD5BA1DDC0D4F5DC9946F44242DFC54292A0846486A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:45:05.422{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44316B811813C5E2334F307D7FAFF3D3,SHA256=0A8F0CF491A2E33F06D0C4038EBB7F40C7336137032EDE8403E4AC707764EFC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:45:06.766{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFEA0C1C0BF1D2264BE1A7BE2370A9F3,SHA256=89F2BEAD22D030A13AD31A6DC5AF36535BC2F5EEF7C0B97985880C73E2782BCD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:45:06.688{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8922818A49176B3C20BAD97CE2F5474C,SHA256=824C3766B50000F3A5CE8E22F10CBEA7E1301F4E87503AA3E540B586B6568DEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848904Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:45:06.215{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=044E1CEFC6DE83CC879A47AE5D45FAD5,SHA256=A074EFCC30114813700E0A1C2E94D21AC4AE9D26DDEB7A63191F493D6E86E3A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:45:07.922{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C08FB23D2151A100504061AAEAE94B64,SHA256=E27835134C5031DDAD9A8C7CA88A1F8DE83D491821A99296D3E6A870F5BBF1DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:45:07.703{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E825E8AD014B3E403AB4919B3BA42E0E,SHA256=35431031DAB9D86D60DE5E3600457E059F726E4B43B2AE3A43CEBA7706C11BC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000064848906Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:45:05.997{B81B27B7-1E85-61BA-6900-00000000CD01}4032C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52937-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000064848905Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:45:07.249{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3348B3F805D656C22F17C8774F2B682C,SHA256=C087BCAB53080A083CC7FE8CE0B9030792747DD0325985F5122EAEF3755F40CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000132721142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:44:49.091{3BF36828-853A-61B1-7100-00000000CE01}2816C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60124-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000132721145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:45:08.719{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C03C8B557ACE50EF9FC3CCCE31B03C1,SHA256=B411C15013FE4217A0307D9D477A5C466D4F48D41600FEAEE98506DF5B56E268,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000064848907Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-12-15 20:45:08.264{B81B27B7-1E8D-61BA-7300-00000000CD01}3388NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=398BD9A05D5751E710FE826048C19343,SHA256=7662E08301BB71EB26AD64753563828B660828343145FF0D356CC3E9D7D2B663,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000132721146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-12-15 20:45:09.156{3BF36828-8542-61B1-7A00-00000000CE01}2196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=876EFEC6203E12602763CFF93AA7E2C8,SHA256=B2FB12AFFE4FF0C2A1C48C0AB89BBADE1F01247660B8BAFA37DB54AADFC8896A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space