23542300x800000000000000055896416Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:44.895{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B8CFBAA273D528E1A234D5E67E27AA7,SHA256=1F1FE73942284F0DC4F57D2B23A3E7D9B9C5743EC1E4B48126F962FAE0AFB699,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107385586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:52.531{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60948-false10.0.1.12-8000- 23542300x8000000000000000107385585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:44.345{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E96C63CBD02B117A5D0F546B27F0FAA,SHA256=7E642C7D0AB45FFCF30F77C94D577DA6158A27BC78FF9E370F930A9E5E140E92,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107385584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:44.157{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A48566BCFD6C00351B4B09DA67982C7,SHA256=27436EB62904A03EF69440EB1D0AF571A14E5D328913FFC7949418AF26F4AADC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896418Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:45.907{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAC063645F009DEBEAE242333F8F08AC,SHA256=817CE1053B8DB737CB245B92300B673667641034DA97FAA8EDD56B73284DE32A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107385587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:45.348{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB68F4313927ABC1E6675ED78B3ADB9A,SHA256=EE96C66C0812289162D4FA25C15368EF8CBA27C63F77FA02EF05B9672144BD92,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055896417Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:24.718{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62406-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055896442Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:46.922{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F265969D0ACA196DB3E22F2EBA1BBD26,SHA256=8898EBF592B8D1EA1FFC8236CF9A822E504A9A28A27290D2BAE60570E0D6AF36,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107385636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.988{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107385635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.988{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107385634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.988{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107385633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.988{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107385632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.973{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107385631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.973{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107385630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.973{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107385629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.973{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107385628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.973{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107385627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.973{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107385626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.973{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107385625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.973{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107385624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.973{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107385623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.973{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107385622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.973{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107385621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.973{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107385620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.973{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107385619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.973{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107385618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.973{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107385617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.973{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107385616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.973{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107385615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.973{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107385614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.973{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107385613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.973{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107385612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.973{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107385611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.973{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107385610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.973{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107385609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.973{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107385608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.973{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107385607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.973{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107385606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.973{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107385605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.973{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107385604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.973{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107385603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.973{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107385602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.973{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000107385601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.973{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107385600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.973{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107385599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.973{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107385598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.973{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107385597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.973{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000107385596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.973{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107385595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.973{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107385594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.973{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107385593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.973{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107385592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.957{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107385591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.957{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107385590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.958{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107385589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.348{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4521AB0544706F28F078DA19D8162B44,SHA256=D3486BACDC04A118C5F2A7682D77EB6A687C96AA1B7750C9679CDD3BF5DEF641,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000055896441Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 16:44:46.594{B81B27B7-F665-6183-0B00-00000000CA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000055896440Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 16:44:46.594{B81B27B7-F665-6183-0B00-00000000CA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x298ed2a2) 13241300x800000000000000055896439Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 16:44:46.594{B81B27B7-F665-6183-0B00-00000000CA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7d7dc-0x350450ec) 13241300x800000000000000055896438Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 16:44:46.594{B81B27B7-F665-6183-0B00-00000000CA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7d7e4-0x96c8b8ec) 13241300x800000000000000055896437Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 16:44:46.594{B81B27B7-F665-6183-0B00-00000000CA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7d7ec-0xf88d20ec) 13241300x800000000000000055896436Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 16:44:46.594{B81B27B7-F665-6183-0B00-00000000CA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000055896435Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 16:44:46.594{B81B27B7-F665-6183-0B00-00000000CA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x298ed2a2) 13241300x800000000000000055896434Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 16:44:46.594{B81B27B7-F665-6183-0B00-00000000CA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7d7dc-0x350450ec) 13241300x800000000000000055896433Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 16:44:46.594{B81B27B7-F665-6183-0B00-00000000CA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7d7e4-0x96c8b8ec) 13241300x800000000000000055896432Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 16:44:46.594{B81B27B7-F665-6183-0B00-00000000CA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7d7ec-0xf88d20ec) 10341000x800000000000000055896431Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:46.391{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-99FE-618E-6C41-01000000CA01}2168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896430Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:46.391{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896429Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:46.391{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896428Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:46.391{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896427Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:46.391{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896426Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:46.391{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896425Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:46.391{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896424Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:46.391{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896423Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:46.391{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896422Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:46.391{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896421Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:46.391{B81B27B7-F665-6183-0500-00000000CA01}4122712C:\Windows\system32\csrss.exe{B81B27B7-99FE-618E-6C41-01000000CA01}2168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055896420Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:46.391{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-99FE-618E-6C41-01000000CA01}2168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055896419Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:46.376{B81B27B7-99FE-618E-6C41-01000000CA01}2168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107385588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:46.067{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1362FF13B92A6FAEC0F04D98003ED24,SHA256=EF93C9B14D9714B77EAE2DA30FF31AC271D958D191AEF38061BC316B9E050464,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896459Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:47.954{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=294C2E615D58C7CA77138D376555C8F9,SHA256=C6429A3E1073C3654A5A4003596D4450C080D734EBA2F032635E4BD61B1A1A97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107385693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.957{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE0EB002F5561F4CA7AB062E18D2D5CA,SHA256=C2DA102B80597147DA7A1F0E22D5ABB37CC578E1917EFB1C5472BAA22A459FE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000107385692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.770{3BF36828-99FF-618E-0410-01000000CC01}53405380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107385691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.770{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107385690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.770{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000107385689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.645{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107385688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.645{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107385687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.645{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107385686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.645{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107385685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.645{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107385684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.645{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107385683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.645{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107385682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.645{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107385681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.645{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107385680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.629{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107385679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.629{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107385678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.629{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107385677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.629{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107385676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.629{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107385675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.629{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107385674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.629{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107385673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.629{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107385672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.629{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107385671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.629{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107385670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.629{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107385669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.629{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107385668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.629{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107385667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.629{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107385666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.629{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000107385665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.629{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107385664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.629{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107385663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.629{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107385662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.629{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107385661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.629{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107385660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.629{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107385659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.629{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107385658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.629{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107385657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.629{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107385656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.629{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107385655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.629{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107385654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.629{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000107385653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.629{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107385652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.629{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107385651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.629{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107385650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.629{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107385649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.629{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x8000000000000000107385648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.629{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107385647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.629{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107385646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.629{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107385645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.629{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107385644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.629{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107385643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.629{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107385642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.616{3BF36828-99FF-618E-0410-01000000CC01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107385641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.613{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FF76530403FB50FC8B1C691A2946235,SHA256=F843B9B9DD2892BE31B4B6DB0E61CD7C36D5DAECE1279FE54B469CCB10C026D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896458Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:47.469{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80E1E466D8BDEB75F06D56D2675C1BAC,SHA256=14CEFE77283B2278F3CD64B9D869685B9A5F32C6842AB179C55295DB307179A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896457Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:47.469{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90E0AB1E83EAC668B3F0CEE29FCA6B73,SHA256=884E1478FC89E7D792EC2F34C29959D325615B02866D184A438F90512D51B6B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055896456Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:47.251{B81B27B7-99FF-618E-6D41-01000000CA01}49521400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896455Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:47.079{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-99FF-618E-6D41-01000000CA01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896454Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:47.079{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896453Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:47.079{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896452Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:47.079{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896451Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:47.079{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896450Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:47.079{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896449Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:47.079{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896448Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:47.079{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896447Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:47.079{B81B27B7-F665-6183-0500-00000000CA01}4122712C:\Windows\system32\csrss.exe{B81B27B7-99FF-618E-6D41-01000000CA01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055896446Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:47.079{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896445Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:47.079{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896444Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:47.079{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-99FF-618E-6D41-01000000CA01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055896443Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:47.064{B81B27B7-99FF-618E-6D41-01000000CA01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000107385640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.113{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000107385639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.113{3BF36828-99FE-618E-0310-01000000CC01}44004092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107385638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.113{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107385637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:47.113{3BF36828-99FE-618E-0310-01000000CC01}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000055896460Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:48.985{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD99F7BCEF97CAAE17B8AFF4D910984A,SHA256=FA55F9A871C293DBDC9E6BCDD7B80E4C5E3EF29BB698E69E74EE17EC222851C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107385794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.926{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107385793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.926{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107385792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.926{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107385791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.926{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107385790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.926{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107385789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.926{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107385788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.926{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107385787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.926{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107385786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.910{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107385785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.910{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107385784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.910{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107385783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.910{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107385782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.910{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107385781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.910{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107385780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.910{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107385779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.910{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107385778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.910{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107385777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.910{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107385776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.910{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107385775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.910{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107385774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.910{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107385773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.910{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107385772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.910{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107385771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.910{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107385770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.910{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107385769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.910{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107385768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.910{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107385767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.910{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107385766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.910{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107385765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.910{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107385764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.910{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107385763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.910{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107385762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.910{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107385761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.910{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107385760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.910{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000107385759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.910{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000107385758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.910{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107385757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.910{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107385756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.910{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107385755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.910{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107385754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.910{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x8000000000000000107385753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.910{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107385752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.910{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107385751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.910{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107385750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.910{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107385749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.910{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107385748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.910{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107385747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.895{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107385746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.692{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F040C93C8E9780AFB4839C51D1D2493B,SHA256=E0511229F239EB9CD2BA2B1A9101596D9E5E3A17DDC7215551C3483D74C30BDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107385745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.379{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107385744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.379{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107385743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.379{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000107385742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.332{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CA1DC6305817FA2613B91EDEE000240,SHA256=6FB873047B23EF861AFDA33293B821509A42F329DCF938AFFE9F4DC2AF0198EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107385741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.238{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107385740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.238{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107385739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.238{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107385738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.238{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107385737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.238{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107385736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.238{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107385735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.238{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107385734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.238{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107385733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.238{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107385732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.238{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107385731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.238{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107385730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.238{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107385729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.238{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107385728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.238{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107385727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.238{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107385726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.238{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107385725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.238{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107385724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.238{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107385723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.238{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107385722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.223{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107385721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.223{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107385720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.223{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107385719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.223{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107385718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.223{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107385717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.223{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107385716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.223{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107385715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.223{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107385714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.223{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107385713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.223{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107385712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.223{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107385711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.223{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107385710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.223{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107385709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.223{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107385708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.223{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000107385707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.223{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107385706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.223{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000107385705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.223{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107385704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.223{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107385703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.223{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107385702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.223{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107385701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.223{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x8000000000000000107385700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.223{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107385699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.223{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107385698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.223{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107385697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.223{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107385696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.223{3BF36828-9797-6185-0500-00000000CC01}420536C:\Windows\system32\csrss.exe{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107385695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.223{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107385694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:48.208{3BF36828-9A00-618E-0510-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000107385856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.754{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107385855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.754{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107385854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.754{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000107385853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.724{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=311D704BE54288845F23653EDFF5822D,SHA256=8815724B195216D21CC107003C7690BE9733E3D1F1DD70B1DA9E7618CA9F39FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107385852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.676{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62A944AC9383E0E60AAF57484B94C2DF,SHA256=866BB8EDA5A6F41FCCED56E2345ED8A6927701F6B0EC0D8237FDC790F3403113,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107385851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.613{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107385850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.613{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107385849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.613{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107385848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.613{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107385847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.613{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107385846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.613{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107385845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.613{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107385844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.613{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107385843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000107385842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107385841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107385840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107385839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107385838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107385837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107385836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107385835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107385834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107385833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107385832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107385831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107385830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107385829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107385828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107385827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107385826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107385825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107385824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107385823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000107385822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107385821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107385820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107385819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107385818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000107385817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000107385816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000107385815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000107385814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107385813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107385812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000107385811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107385810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107385809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107385808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107385807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x8000000000000000107385806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107385805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107385804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107385803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107385802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-9797-6185-0500-00000000CC01}420536C:\Windows\system32\csrss.exe{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107385801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.598{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107385800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.583{3BF36828-9A01-618E-0710-01000000CC01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107385799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.207{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=840E3DB6A8ADFD65EF305825B3A614EF,SHA256=86ADC6029330000DF99659BF53CBDDC0BE056EFC474383F9F49843770274D687,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107385798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.067{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000107385797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.051{3BF36828-9A00-618E-0610-01000000CC01}4168208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107385796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.051{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107385795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:49.051{3BF36828-9A00-618E-0610-01000000CC01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000107385957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.910{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107385956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.910{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107385955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.910{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107385954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.910{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107385953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.910{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107385952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.910{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107385951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.910{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107385950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.895{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107385949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.895{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107385948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.895{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107385947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.895{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107385946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.895{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107385945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.895{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107385944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.895{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107385943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.895{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x8000000000000000107385942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.895{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107385941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.895{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107385940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.895{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107385939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.895{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107385938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.895{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107385937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.895{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107385936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.895{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107385935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.895{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107385934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.895{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107385933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.895{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107385932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.895{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107385931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.895{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107385930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.895{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107385929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.895{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107385928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.895{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107385927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.895{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107385926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.895{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000107385925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.895{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107385924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.895{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107385923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.895{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107385922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.895{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000107385921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.895{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107385920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.895{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107385919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.895{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107385918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.895{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107385917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.895{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x8000000000000000107385916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.895{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107385915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.895{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107385914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.895{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107385913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.895{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107385912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.895{3BF36828-9797-6185-0500-00000000CC01}420536C:\Windows\system32\csrss.exe{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107385911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.895{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107385910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.881{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107385909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.879{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FA0E6D893BA4F6DDDFAE2EAF37FDEF4,SHA256=01701B49F49070C53AC880A420CA6524AE3EE66BED8833BF5704587B6171EF1D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055896462Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:29.808{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62407-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055896461Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:50.001{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86CA095B031EF11F8097571F83E67DCC,SHA256=91F6E35D13CC45DE38BE5DAB8F94011809E4681D0DF69CE69D0DEBBB6302F6B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107385908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.582{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B21D2F2B9A05EC2743E17ECD503B53C,SHA256=801EC5E9015197526A178081081BEDC76B6E837617794FF2E3912B33B09FC508,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107385907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.442{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000107385906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.442{3BF36828-9A02-618E-0810-01000000CC01}52362956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107385905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.442{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107385904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.442{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000107385903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.317{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107385902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.317{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107385901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.317{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107385900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.317{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107385899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.317{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107385898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.317{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107385897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.317{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107385896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.317{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107385895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.301{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107385894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.301{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107385893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.301{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107385892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.301{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107385891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.301{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107385890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.301{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107385889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.301{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107385888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.301{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107385887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.301{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107385886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.301{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107385885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.301{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107385884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.301{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107385883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.301{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107385882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.301{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107385881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.301{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107385880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.301{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107385879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.301{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107385878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.301{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107385877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.301{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107385876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.301{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107385875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.301{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107385874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.301{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107385873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.301{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107385872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.301{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107385871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.301{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107385870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.301{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107385869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.301{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000107385868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.301{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107385867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.301{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107385866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.301{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107385865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.301{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107385864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.301{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000107385863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.301{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107385862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.301{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107385861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.301{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107385860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.286{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107385859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.286{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107385858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.286{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107385857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:50.270{3BF36828-9A02-618E-0810-01000000CC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055896463Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:51.047{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CDA6BBB559C5A269521DC2ED4E566AD,SHA256=BB9F78AF1673F3800C4FCD5B887B487FB344AC416FC6D0345888A8E4B1B5890D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107385962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:51.879{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A56CF07815F9ABFAFF7E14BEA9FC131E,SHA256=F8509A2512CBB63616324621284F1E4293B2D5A85F06AE2E4C19CCDADDBCB2D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107385961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:51.067{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107385960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:51.067{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107385959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:51.067{3BF36828-9A02-618E-0910-01000000CC01}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000107385958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:58.536{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60949-false10.0.1.12-8000- 23542300x800000000000000055896464Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:52.063{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFEF8F23D8587156F8731C413BC5FB6D,SHA256=65DE8FDC006264846650D788B190278044B83730C3D565456EEE1CF026DED8FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107385963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:52.035{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E392A7D9AE374C569D2E813F192B4107,SHA256=9269D621F0AB87EF3996F0C7FBC989E38E72FC00C8E9BFA9F058A092CFF38DA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896465Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:53.094{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=227CBC5D32055EE5AE03CBE733526EC2,SHA256=5384B014629986E3AEFBB4EF155BC0BB4AF48BDCFD490B4B3962D09EACAA6C48,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107385964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:53.035{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46E59805DCEDE8B9A471896302FCABF3,SHA256=4B446372A47BDF6BFE0CB05B2C7FE6135340355DF2D93F57E239CC5F7D2E1084,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896466Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:54.188{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F079F408C8C387F3C3D22E0138F8EE94,SHA256=2BF24826212992B34E5C2A9A71EE53F26FBCAEF28713564BDA635E41A258C73F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107385968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:03.083{3BF36828-9792-6185-0100-00000000CC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local60950-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x8000000000000000107385967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:03.083{3BF36828-9792-6185-0100-00000000CC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local60950-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 23542300x8000000000000000107385966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:54.723{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=860D5C71804C66630C0642E76104C8D8,SHA256=6D2D2C42910AE922560423A8975B8B0B573FFF625279DDCF074A2DBB22139C69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107385965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:54.051{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F455B6083D95908573C5C7261C45B4D7,SHA256=E5D4522D4A318BB7606DBC5CF47584A0631C91945098AD47E5160CF42D7355E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896467Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:55.251{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35341956F8283A4E29F557A0CB9F517E,SHA256=4196AFDA21F56462D0E75FB2A374556F5AACACE677C707ED4FC8EA9BE8BA0D69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107385969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:55.051{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47EA666335F80AE90A347F94020705F1,SHA256=47AACA720798FFF945352ADAB87CB82D02B8128C57F71172A5D8B6EB4C536A4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055896483Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:35.746{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62408-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000055896482Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:56.860{B81B27B7-9A08-618E-6E41-01000000CA01}14684664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896481Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:56.688{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-9A08-618E-6E41-01000000CA01}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896480Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:56.688{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896479Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:56.688{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896478Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:56.688{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896477Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:56.688{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896476Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:56.688{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896475Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:56.688{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896474Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:56.688{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896473Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:56.688{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896472Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:56.688{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896471Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:56.688{B81B27B7-F665-6183-0500-00000000CA01}4122712C:\Windows\system32\csrss.exe{B81B27B7-9A08-618E-6E41-01000000CA01}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055896470Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:56.688{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9A08-618E-6E41-01000000CA01}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055896469Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:56.673{B81B27B7-9A08-618E-6E41-01000000CA01}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055896468Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:56.469{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E2C6771FB9D1103558C499259BA2E0E,SHA256=93B9370074058D8CB57586A8A0FD6E4CD5BE9D6D2FAC0E6835732E0785289E05,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107385971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:56.067{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97B4CEFAE34C8FAB7C055976323500F5,SHA256=D1B543A1B800C241BD11FECBCEEC2B324AABE74FF7161399B435868F0EDB5C85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107385970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:56.051{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=931762D1B09493A9149B2BF7CD48847C,SHA256=E55CB1019E79F520E41F6CFFBC4FC41F46346E70C49DC1D44325F33E03BEAE28,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896499Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:57.860{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36A43339BF7533A1963650D4CDF4F5CA,SHA256=455C96E1D647B1FB3A8E53D1AFEF306023DD59CE5AB296C40B3014B2FE171D83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896498Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:57.860{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50A71E0C9C31845710C44FB22E5296E1,SHA256=998146404F647A1030FBEC3F2B5C1B39807D440C3F9617E938C7A5EA7940B7C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896497Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:57.860{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80E1E466D8BDEB75F06D56D2675C1BAC,SHA256=14CEFE77283B2278F3CD64B9D869685B9A5F32C6842AB179C55295DB307179A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107385973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:57.192{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22DB3A6340B537B79F944427A5A8A789,SHA256=7D2A15CD021DB86ACE6C437DEEE0F6FE88F9FA0466A5913B61027CC8071372B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055896496Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:57.391{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-9A09-618E-6F41-01000000CA01}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896495Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:57.376{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896494Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:57.376{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896493Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:57.376{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896492Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:57.376{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896491Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:57.376{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896490Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:57.376{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896489Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:57.376{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896488Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:57.376{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896487Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:57.376{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896486Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:57.376{B81B27B7-F665-6183-0500-00000000CA01}412428C:\Windows\system32\csrss.exe{B81B27B7-9A09-618E-6F41-01000000CA01}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055896485Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:57.376{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9A09-618E-6F41-01000000CA01}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055896484Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:57.361{B81B27B7-9A09-618E-6F41-01000000CA01}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000107385972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:04.440{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60951-false10.0.1.12-8000- 23542300x800000000000000055896500Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:58.876{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6C41E4F56B1025E97E7880B7BB308E6,SHA256=D1DD78B2A8BE7080CC72A28E2D9A5DB3EA31C2ADE7DE8CDDA4BB71779A23A508,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107385974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:58.348{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF413A713F78B71F169B4755710ACB24,SHA256=C784676BE518A21602BF18FA6351F5367841CAF89A40D0A8B68CA30ED9F5C135,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107385975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:44:59.535{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D6B2CEE9B0FCFD607EB9428681D9692,SHA256=32F53027B7FA29A263E514A7C7F365DD54B4B5E30D7DDDBFE6816147BD026901,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896501Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:59.797{B81B27B7-F666-6183-1100-00000000CA01}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=107FF6160AAA327AF960C9D93F94D990,SHA256=D2B88D1323BA8BBD92FB701895CA35E16B7D63B89B4B5F25BE950AC5FA6B306B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107385976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:00.629{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7216592FDC0EBC5C51E6F6B7FF52A12,SHA256=7B598378FCD5E8DF792EA3D69D6C204391228B221A2BBA725C66EE3729974F41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055896529Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:00.844{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-9A0C-618E-7141-01000000CA01}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896528Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:00.844{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896527Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:00.844{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896526Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:00.844{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896525Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:00.844{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896524Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:00.844{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896523Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:00.844{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896522Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:00.844{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896521Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:00.844{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896520Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:00.844{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896519Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:00.844{B81B27B7-F665-6183-0500-00000000CA01}412428C:\Windows\system32\csrss.exe{B81B27B7-9A0C-618E-7141-01000000CA01}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055896518Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:00.844{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9A0C-618E-7141-01000000CA01}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055896517Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:00.830{B81B27B7-9A0C-618E-7141-01000000CA01}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000055896516Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:00.422{B81B27B7-9A0C-618E-7041-01000000CA01}30964552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896515Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:00.172{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-9A0C-618E-7041-01000000CA01}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896514Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:00.157{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896513Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:00.157{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896512Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:00.157{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896511Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:00.157{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896510Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:00.157{B81B27B7-F665-6183-0500-00000000CA01}412428C:\Windows\system32\csrss.exe{B81B27B7-9A0C-618E-7041-01000000CA01}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055896509Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:00.157{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896508Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:00.157{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896507Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:00.157{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896506Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:00.157{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896505Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:00.157{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9A0C-618E-7041-01000000CA01}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896504Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:00.157{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055896503Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:00.142{B81B27B7-9A0C-618E-7041-01000000CA01}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055896502Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:00.110{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1432EB544C0AAF0F7249513D81C0DDD8,SHA256=D591ED8BFC45736FE9CAE73A140EAD2B029D88933015E8DD393D2611C93D937E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107385979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:09.597{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60952-false10.0.1.12-8000- 23542300x8000000000000000107385978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:01.676{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3D7ABA4178D0BF5870098004D8C76AA,SHA256=C89505A8F3FD024C1E05464266D070B98198455F03E75F15DD443925B1A67ABC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896545Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:01.376{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C393E2C19C609F2DE0204808BBC21BA2,SHA256=AAA54A6970132EE4C94FA482E7ABF841D5C1FF497113519F54236EEA72FBE470,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055896544Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:01.360{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-9A0D-618E-7241-01000000CA01}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896543Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:01.360{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896542Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:01.360{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896541Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:01.360{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896540Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:01.360{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896539Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:01.360{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896538Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:01.360{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896537Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:01.360{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896536Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:01.360{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896535Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:01.360{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896534Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:01.360{B81B27B7-F665-6183-0500-00000000CA01}4122712C:\Windows\system32\csrss.exe{B81B27B7-9A0D-618E-7241-01000000CA01}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055896533Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:01.360{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9A0D-618E-7241-01000000CA01}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055896532Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:01.345{B81B27B7-9A0D-618E-7241-01000000CA01}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107385977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:01.035{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=275D47B9D39D061F2F1EE1E819207DBC,SHA256=C9DD0FD400271D6B189E36B4406F53537309EB30806629242FE5A9F74579643D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896531Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:01.157{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36A43339BF7533A1963650D4CDF4F5CA,SHA256=455C96E1D647B1FB3A8E53D1AFEF306023DD59CE5AB296C40B3014B2FE171D83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055896530Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:01.063{B81B27B7-9A0C-618E-7141-01000000CA01}58885980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107385980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:02.692{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53170556513CA0BD4A5E98CE3BAAFB3D,SHA256=2E40A6EC0B6BCF073129D03570AA09D46B77439BC128D626F3E0229926E23549,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896547Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:02.376{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31E86B763C2682888877A453B3E2F595,SHA256=F48086DC5E8C27D170AC96939F6707DC4ED3B0E70214F679690E5E35FC9329ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896546Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:02.360{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=910BD1C121E172F7FD8D0F3D286218D1,SHA256=D8B54E5500291C837C3ADB9D21976D3BFDDE188A37993ECCEA49E2C93C1A6548,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107385981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:03.754{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAAF489FC8FE5DCEB71220A22B42E52A,SHA256=5335768DA09D009A938812A87E449E04C3F7E7D5D05FF2E384C2EFFBC0116A9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896549Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:03.422{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C22654C420B0B9E422586D80C898EBE2,SHA256=37A221773C825C620C7F81CAC74770A5D85DE145DB6D3A27BA53F7775ECA6D4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055896548Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:41.699{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62409-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055896550Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:04.438{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33DD7EBB6006A835353ABDEE3E426031,SHA256=F3F937AE8EB1A2A8B0201722F751F3278251BBE593C32F15F7432106FF5170D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107385982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:04.756{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96D198F79DC3FF8EE088AC88A696C5D5,SHA256=2479FC667ED969492C0D3AD18F512ADAE3360EB7A3C5A26C75D8B8011B520593,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107385984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:05.769{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A4553841968B7EB649BE97A6AE5A017,SHA256=3A5122ED50ADD1C6DEDE772A66267629A9CDF903DF56B93577478E6571B65B87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896551Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:05.451{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA275CF4AE97C8829E709E99B2D7AF94,SHA256=878795E10411AB99E310468FB445589588930811743B2EC6B0DA1BAE254D512F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107385983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:05.266{3BF36828-989D-6185-BF00-00000000CC01}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107385987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:06.769{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13FA31334F8813D70BD4F35A4424F9F5,SHA256=8EF270239518CE4D0D3DB4D3F944AFF3103F6ECD3078671F476789B4B213055D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896552Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:06.467{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32A58550091938C38F86268B8EC8DC60,SHA256=7974E98C997C565B94E8A6F722E418CC5F8BEEEB2465FBDF129D7851B08BAA8F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107385986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:06.051{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C14149BA07545C9C5DE8E5DE1C177AA,SHA256=B3A1C2A6270433CE0BF357D606475756C84346BE2D4C651C5F1B499F5B5A5BD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107385985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:06.051{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA0536912DDAFD4ADDCCFFAABCF96471,SHA256=47483E8EE2E41CDCE80B8F82FCAB9BC03AB8ADE84D685C0EEE497AE07D29878E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107385992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:07.801{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=829C0D2CC25A1EA306C63BAD4079D941,SHA256=5CAFA03C26D48BEB01AAC90B83D68CDD1ED4807C6C6A889747A75C3C29888C5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896582Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:07.685{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B90069375D07798E29662FF465D2ADA5,SHA256=1416CF3C22FF2217A67941A11D477F4DD9414E11E59DA6D7E4BD8C5F3A4BEC8B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107385991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:07.051{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C14149BA07545C9C5DE8E5DE1C177AA,SHA256=B3A1C2A6270433CE0BF357D606475756C84346BE2D4C651C5F1B499F5B5A5BD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107385990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:15.097{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local60954-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000107385989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:15.096{3BF36828-97A9-6185-2800-00000000CC01}2876C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local60954-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000107385988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:14.624{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60953-false10.0.1.12-8089- 10341000x800000000000000055896581Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:07.373{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896580Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:07.373{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896579Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:07.373{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896578Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:07.373{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896577Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:07.373{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896576Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:07.373{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896575Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:07.373{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896574Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:07.373{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896573Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:07.373{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896572Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:07.373{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896571Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:07.373{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896570Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:07.373{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896569Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:07.373{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896568Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:07.373{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896567Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:07.373{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896566Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:07.373{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896565Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:07.373{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896564Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:07.373{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896563Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:07.373{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896562Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:07.373{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896561Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:07.373{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896560Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:07.373{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896559Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:07.373{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896558Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:07.373{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896557Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:07.373{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896556Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:07.373{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896555Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:07.373{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-C63B-618A-82CE-00000000CA01}5504C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896554Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:07.373{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-C63B-618A-82CE-00000000CA01}5504C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055896553Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:07.373{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-C63B-618A-82CE-00000000CA01}5504C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107385994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:08.801{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22FDE12DE2437E8437BA44D8C72D695F,SHA256=C7C4B769EA9B9AADD727B3E09758766FEE3F5D8CD10DD0236F5644A53627C963,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896584Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:08.763{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50DDCD80280888C4AFEF258B90102EF3,SHA256=ADDC5E6C904AFC591906C31B781890E40BC8227942B61EC9A789251C4B7D2BB4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107385993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:15.424{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60955-false10.0.1.12-8000- 354300x800000000000000055896583Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:46.838{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62410-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000107385995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:09.879{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7189D8217DD553559ED5052153DB5737,SHA256=361B838E65F16D23E5912C8E743E20F7472F64B1E354CF617BAD79697E9DD6CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896585Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:09.935{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=302A961D3413587F04038833E3E1C79A,SHA256=D63C7F9D0483D05F76E51024E1DC18CDEB64E580A8498FED7895F81475109262,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896586Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:10.951{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E5722C4F457C10F145973C00BA229CF,SHA256=A6F40E7165AAFD06E79FDACB805C2304DB5C7E7FB558EB209BB6479E4343EA85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107385996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:10.894{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10AC4C9F699FF93E24462E40E01E351D,SHA256=B75A3CFA446745CDE54FEDD1AA614FC54CC8C0795E0A7B66BD84CCD36406E581,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896587Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:11.967{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C63A84125F425EF95AFAF5C0F5B12123,SHA256=1E97748BCAD413B6DAFBE3CCDDF56F38DEDEE4444E86EEE9BCF8D614472D35B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107385997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:11.894{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4FC217EA174BA063DEC2FDA469D1DAD,SHA256=AAB4D37E6AA27514A89AD0A6DCFB2E84F40241584CECA0C66E9E84D1CBE35396,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896588Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:12.982{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED7706CD24E6E9EE8F7EB9079B4B52EF,SHA256=EB4C52FE6B61C9EC2479EEFE727513B6263A72B6942EC2E7E0E2B353AAC80CEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107385999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:12.144{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F871C7B1855737E417E7D2DB350F0BB,SHA256=443F71A890D39C62F0E16A694805EC44D9FFD6F4992E1D74FC14BA419DF9F71F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107385998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:12.144{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F30AA98D48113EAB2F6711DABF11C59E,SHA256=AF0CFC07B59CAFF0DD26C0FEE2895270A1888F7AC4E8167F51815E6F0B27B5DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055896589Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:52.742{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62411-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000107386001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:20.487{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60956-false10.0.1.12-8000- 23542300x8000000000000000107386000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:13.129{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7675DD6C9E89781C3185F9823EC76F42,SHA256=27326A41308F275F50FE282D84714ADCE0491E1C7027E30BF0DB6195BAE7BECC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107386002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:14.129{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07DB07318FDD12D6EE67148E2F609D3F,SHA256=98AA0A720B80488FAA0CA7A594D3F0240AAD0A156D2DC032D5B1DC11C6E98B6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896590Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:13.998{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=912C97175F171E2797BB69AFE2B3956C,SHA256=9383A00A3AD00916C482C254C05432E347D5B6FDB4A59A2EF95D4C5EB9CC6E83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896591Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:15.013{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83D2EC4FE77C9D988E6B0E6D99924078,SHA256=AA218F0C6C70FEEEA1D6C782C27FCA615A3835F902FA8299A88E662DE5CAC4E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107386003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:15.144{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D11C434AD5697C4046BDC18D53248750,SHA256=1508DB4911E5E13EA8CF568A81B2364F7593140E1BA2012C612EFC4DC8239C3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896592Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:16.029{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B8528C8E8BA5FE8F2D42F84B81DAB84,SHA256=35C7CF203F1146DDA2A64F926E37F3EA68302FE632735DBA10ED248EF812160A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107386004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:16.191{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDE3F683142AECF421593068B9D2B7C5,SHA256=8AB1E5E3E436FF17DE981E5055D71360C7C2BABC9E68D9774041EDDB342519B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896593Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:17.045{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D5F805AB80EFD9C17CBB2EA48D71F3F,SHA256=1A048AE9C2CB97ACEE6701098F578D21C660D5B9467EDBA0698A2B4C5E53380A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107386007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:17.238{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C429D5627D87E1D93558E767646244D,SHA256=4C8C3BD06F99392DCD60958DAAE7B9BFE93C44326565D9C4139567A53C250DF1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107386006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:17.238{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F871C7B1855737E417E7D2DB350F0BB,SHA256=443F71A890D39C62F0E16A694805EC44D9FFD6F4992E1D74FC14BA419DF9F71F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107386005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:17.191{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=547271F2CBC3FD5B8C517878A5BE5CC8,SHA256=04C77BC4A5353748916FB16F923624739A6A726360C4E93D6D1321618C082A91,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107386009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:18.207{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=021707B4CD2BB6BC5B72C7A79CEC4D0E,SHA256=2DA724C7E90F36AD92598EC526E639F0B076E23E969612A408069E8621D0DB1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055896595Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:44:57.836{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62412-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055896594Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:18.060{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65893C191C9CA703270F3ECD641DB7A3,SHA256=D83180F1CD9F8286D06A0B4BCBAACEF55EA08798A2F60668C026E622FE6D2CC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107386008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:25.582{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60957-false10.0.1.12-8000- 23542300x8000000000000000107386010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:19.238{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE641C269EF419E6F96918D2BABACB7B,SHA256=4B3A61D6EDDBF28B2A9920A2CDF9D7B9D2EB1A9BAD2EAC3E395B956124E37106,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896596Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:19.076{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73E29668532C6186B9D32EAFA9AFC60C,SHA256=A612523644A489CE895B76120C0BEF0337B96C86143B14F719042A9AC12EE1B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107386012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:20.441{3BF36828-9799-6185-1100-00000000CC01}424NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=59A463727AE25D8F8B6F88132E628675,SHA256=D3BE36F144222B1ACA75E2C105FF60541ABE8D0418CB2344EC2C19BC393BF7FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107386011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:20.363{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB6192C75A4FAB70FD5DEEECA033B59,SHA256=AC7092F25277467524043F22C38A1263BDC63B29E9C02B54C5749BD7C1A35B74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896597Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:20.092{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0B2304EBCD7A60C37078649C5A09180,SHA256=53D667F326874891A288274F52E1419EF30B9C773F6FCF34AD503C3BDCAFF58D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107386014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:21.394{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC9DF23B8BE67181755D4CC7C40BFF86,SHA256=348CA03CBAFBB8A4A0AF8F56BC6E5AF3079C855722B997578D402CBB17DDEB5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896598Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:21.107{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF810E653113219C9216E5E28603926,SHA256=4EFFF97C630B5E80665FFD3B399B169460B47F9BE133ACBB99F7A917DB63D4AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107386013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:21.051{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C429D5627D87E1D93558E767646244D,SHA256=4C8C3BD06F99392DCD60958DAAE7B9BFE93C44326565D9C4139567A53C250DF1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107386040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:22.707{3BF36828-9A22-618E-0A10-01000000CC01}4676C:\Windows\System32\wermgr.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107386039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:22.707{3BF36828-9A22-618E-0A10-01000000CC01}4676C:\Windows\System32\wermgr.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107386038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:22.707{3BF36828-9A22-618E-0A10-01000000CC01}4676C:\Windows\System32\wermgr.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107386037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:22.707{3BF36828-9A22-618E-0A10-01000000CC01}4676C:\Windows\System32\wermgr.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107386036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:22.707{3BF36828-9A22-618E-0A10-01000000CC01}4676C:\Windows\System32\wermgr.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x8000000000000000107386035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:22.676{3BF36828-9A22-618E-0A10-01000000CC01}4676C:\Windows\System32\wermgr.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000107386034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:22.676{3BF36828-9A22-618E-0A10-01000000CC01}4676C:\Windows\System32\wermgr.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107386033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:22.676{3BF36828-9A22-618E-0A10-01000000CC01}4676C:\Windows\System32\wermgr.exeC:\Windows\System32\wer.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Error Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwer.dllMD5=65C4FEDB972CDE71C2AF0F5AFA1C1C15,SHA256=63C1A7AC782F15980F47972E5B481C2E80EBCD1A2A497EAE93F469BD266CC638,IMPHASH=64F80A25C9178937C2771969A7448641trueMicrosoft WindowsValid 734700x8000000000000000107386032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:22.676{3BF36828-9A22-618E-0A10-01000000CC01}4676C:\Windows\System32\wermgr.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000107386031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:22.660{3BF36828-9A22-618E-0A10-01000000CC01}4676C:\Windows\System32\wermgr.exeC:\Windows\System32\wermgr.exe10.0.14393.4104 (rs1_release.201202-1742)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerMgrMD5=CDACB50345D70AB9D6AAA8C00C1D08CA,SHA256=95F57395CE1C04DAB609571CE86E48D1DBFA81CAFCD9D724EAA9AC6DF2ECF4DC,IMPHASH=6DC2C72968365A54FACC1F52003C32E9trueMicrosoft WindowsValid 734700x8000000000000000107386030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:22.660{3BF36828-9A22-618E-0A10-01000000CC01}4676C:\Windows\System32\wermgr.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107386029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:22.660{3BF36828-9A22-618E-0A10-01000000CC01}4676C:\Windows\System32\wermgr.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107386028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:22.660{3BF36828-9A22-618E-0A10-01000000CC01}4676C:\Windows\System32\wermgr.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 10341000x8000000000000000107386027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:22.660{3BF36828-9799-6185-1400-00000000CC01}10564860C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107386026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:22.660{3BF36828-9A22-618E-0A10-01000000CC01}4676C:\Windows\System32\wermgr.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107386025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:22.660{3BF36828-9A22-618E-0A10-01000000CC01}4676C:\Windows\System32\wermgr.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107386024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:22.660{3BF36828-9A22-618E-0A10-01000000CC01}4676C:\Windows\System32\wermgr.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107386023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:22.660{3BF36828-9A22-618E-0A10-01000000CC01}4676C:\Windows\System32\wermgr.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107386022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:22.660{3BF36828-9A22-618E-0A10-01000000CC01}4676C:\Windows\System32\wermgr.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107386021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:22.660{3BF36828-9A22-618E-0A10-01000000CC01}4676C:\Windows\System32\wermgr.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107386020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:22.660{3BF36828-9A22-618E-0A10-01000000CC01}4676C:\Windows\System32\wermgr.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000107386019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:22.660{3BF36828-9797-6185-0500-00000000CC01}420536C:\Windows\system32\csrss.exe{3BF36828-9A22-618E-0A10-01000000CC01}4676C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107386018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:22.660{3BF36828-9799-6185-1600-00000000CC01}12721960C:\Windows\system32\svchost.exe{3BF36828-9A22-618E-0A10-01000000CC01}4676C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107386017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:22.644{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-9799-6185-1600-00000000CC01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107386016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:22.644{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-9799-6185-1600-00000000CC01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107386015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:22.410{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=261A6354B4F2D971E027C48983219060,SHA256=41F5389D2EBFB596F1FBE825A80096D8313264BDD526DC5753AF6A2B61D54915,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896599Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:22.123{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD112C8330B59729117DB3441885AD06,SHA256=9106BB3EAD0D4625934B97DAB42B3ADDDE687E715E611C55A60ABBD520BA4485,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107386042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:23.535{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=376693D2704923AF49517D396DD0739B,SHA256=48952AFCA51E2B4870F5D657586E2B414381300202565325123D03209C90FD0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896601Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:23.904{B81B27B7-F667-6183-2200-00000000CA01}1748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896600Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:23.138{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=875B9435951388F7A366613B70D2DADA,SHA256=1ED8CBE1CC66229FB3867A18FDA88CE3F9A646EB249F2DC39258EF31B2D840C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107386041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:23.176{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F30720A1A01D49CE89D8617A965A4221,SHA256=70CE827E94273FC547BB052B0CA110186A8C6D320AF6DB2E71E3242667207FA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107386044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:24.551{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=764E949D9E599F3F82B04D4E7268D8EC,SHA256=28EF1445C84785C7FBB836764CB8AC7E86AB2429285FB6BB7778FE35C020E8C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896602Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:24.154{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=121637791BC96A8514B74AD930116709,SHA256=99A7E1A1186733FFA4A7FE7780055FDA85B382C70F525F6AE891AAC0B2AB40E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107386043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:31.550{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60958-false10.0.1.12-8000- 23542300x8000000000000000107386045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:25.551{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FD16D6D5E61CCDD811223AA6E6E63BC,SHA256=004E6CB4317E3515FD84BB1FA62531A123DEB744246F2E085FEF5381C3457F02,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896604Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:25.157{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F28D67DD0FB3710D022C94C71C6058C,SHA256=17AA060BBDD9519B11749A58F06412C08FDAD7B990161CDF4664D8558E188B29,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055896603Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:03.789{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62413-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000107386047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:26.567{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E64F1EB70551E57BBB4C8BE267B44504,SHA256=4C5BF2DE4A88D7D3DFC180B6ACDCCDBFD247EFCD13FCF90B5E34D62628DF51F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896606Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:26.173{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02ADD16F350C96C55C8E9997557784FB,SHA256=C8543AF492449B7243C92BB75F44D8D1BE5973FF75B5FA1EE62612A819FEE406,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107386046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:26.051{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1C0F155B2D597E44B25AB1320179E91,SHA256=CD262C6373EE0536963EA9EE21D411BC6C0DC340E2D96C1FF64D755CE3374417,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055896605Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:04.477{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62414-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000107386048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:27.582{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52C2A430F9B1BF6CBC09A3F385D463E3,SHA256=8B26086A5F225DCE764840A678C729B61ACCF136376B3E0086031E6B0BACCA67,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896607Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:27.188{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A05D8FBC2F7FEACF079FB823D2481F6E,SHA256=60142A4F6A85742A575C29425141D049992E00C47832FF42536BE7B6D2B06C2E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107386050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:28.629{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=781E687731374C1EC6909D4D0D8E1F60,SHA256=6F1DEA8B24371821D223E85347CD2D790BE424316F0E98FBCB6855E302BCEABD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896608Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:28.204{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=417943FECF9408B2D22402C5AE3C0799,SHA256=6E10DA627E467DC2485EA0CA16C16581FBD7ACE45F8F4C393FF79D5EF795AB41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107386049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:28.254{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDD0ED0CA913BE161FFFDF44B73D2BCD,SHA256=EBE32FFF5AE7EA2E45EDD6B799B138CF1074212735D34D3258EA3CE6AD976E41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107386052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:29.676{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B40710240FD397E93EBB56CE36FA165,SHA256=4286CE872133A1FD7219179D4ACC59F52EC63693C4E276EE14EDC9BA9E781AB7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896609Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:29.219{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C728D960F6E92154841D83F8A826259D,SHA256=A2618206084CA1C7462C0EDAE675D3A45FBECDB35C1DB905648730C0F6C8C44E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107386051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:36.613{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local60959-false10.0.1.12-8000- 23542300x8000000000000000107386053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:30.692{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59B82D10E7962607F481DC0300158B14,SHA256=D2FEDD66D35B6C3457039584875840A4AD8FA37E241EF9F07E566973E9984E65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896610Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:30.235{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7506A78FFE81FF6893365916E7A45C56,SHA256=768069A7F3A616F5A35619D3D7FB055E32BBA37BD5E337DC75B5FE2F081C82FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107386054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:31.770{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F2A29A30B875A4F26F61BA9ABD78852,SHA256=420810B660D18F11D92324C14391E0F548CB89FB69618635D0D646CF016ED55A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055896612Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:09.714{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62415-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055896611Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:31.237{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE93699B5ABD79CC560064F8F22351AA,SHA256=3678FD07D68F97ACED06568D2B75F316E16E6DCC7604E7015090934432AC0ECA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107386055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 16:45:32.785{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E7F4963A343CFE3EBB9EE228314A07B,SHA256=3F4CD7FAFA18C165CA925F18A4388A98758EB0C683A90C65EDF4E8321F957842,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055896613Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 16:45:32.250{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12B79DFE4458EE6EF4FCD479EEFDEECF,SHA256=5958BDFA2EA68FE7F038B8EDBF1538AFF16EE7840B22A490C82D130CE996C706,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 235423