23542300x8000000000000000115825338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:58:39.945{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BA7685576766BC447AF9E944CA7A5CC,SHA256=56F0757ACFB9DBBC3EE7E24EF251868735CBA273D7D66B7976D09DE9619E58E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:58:39.814{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=126FC26565748F41A74D49D49CA87A25,SHA256=F0542B437C270250704E5C18E88DEA07848CC9095096882EFF6C8A2834F52B7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000059040213Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:39.839{B81B27B7-640F-619D-4834-01000000CC01}4268896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-28B3-6193-2C00-00000000CC01}2332C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040212Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:39.667{B81B27B7-28B4-6193-3100-00000000CC01}31203140C:\Windows\system32\conhost.exe{B81B27B7-640F-619D-4834-01000000CC01}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040211Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:39.667{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040210Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:39.667{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040209Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:39.667{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040208Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:39.667{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040207Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:39.667{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040206Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:39.667{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040205Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:39.667{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040204Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:39.667{B81B27B7-28B0-6193-0500-00000000CC01}408424C:\Windows\system32\csrss.exe{B81B27B7-640F-619D-4834-01000000CC01}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059040203Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:39.667{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040202Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:39.667{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040201Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:39.667{B81B27B7-28B3-6193-2C00-00000000CC01}23323408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-640F-619D-4834-01000000CC01}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059040200Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:39.653{B81B27B7-640F-619D-4834-01000000CC01}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-28B1-6193-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-28B3-6193-2C00-00000000CC01}2332C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059040199Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:39.651{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C497A468D07EBFAA8B3739FFB831C708,SHA256=918284073ED5C1ED5F12C6AFEF7C24B4665B3416FA450F2B0AA8E7B3B69D129B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040198Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:39.651{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=346888F5141289D86240373BECF44D13,SHA256=9F8E9CB82E5E248391F9149920A2CE51EE6F1926DC4538FB5C54542BF0D614DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040197Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:39.651{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8526C4CD3278E96043FEC68986117B4A,SHA256=1C3F300FA123E868D13EC113C49A8C18410E5734A6BD6B010794A186E7E69151,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000059040196Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:39.245{B81B27B7-640F-619D-4734-01000000CC01}5096864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-28B3-6193-2C00-00000000CC01}2332C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040195Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:39.089{B81B27B7-28B4-6193-3100-00000000CC01}31203140C:\Windows\system32\conhost.exe{B81B27B7-640F-619D-4734-01000000CC01}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040194Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:39.089{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040193Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:39.089{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040192Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:39.089{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040191Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:39.089{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040190Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:39.089{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040189Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:39.089{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040188Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:39.089{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040187Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:39.089{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040186Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:39.089{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040185Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:39.089{B81B27B7-28B0-6193-0500-00000000CC01}408384C:\Windows\system32\csrss.exe{B81B27B7-640F-619D-4734-01000000CC01}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059040184Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:39.089{B81B27B7-28B3-6193-2C00-00000000CC01}23323408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-640F-619D-4734-01000000CC01}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059040183Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:39.074{B81B27B7-640F-619D-4734-01000000CC01}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-28B1-6193-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-28B3-6193-2C00-00000000CC01}2332C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000115825340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:58:40.844{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A169A0B8A23268A9159917DE8E0E31CF,SHA256=8B76372A10986D642C9D62FDAA3312F109F75839157C2C869B89347CD2458D29,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040228Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:40.792{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C497A468D07EBFAA8B3739FFB831C708,SHA256=918284073ED5C1ED5F12C6AFEF7C24B4665B3416FA450F2B0AA8E7B3B69D129B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000059040227Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:40.356{B81B27B7-28B4-6193-3100-00000000CC01}31203140C:\Windows\system32\conhost.exe{B81B27B7-6410-619D-4934-01000000CC01}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040226Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:40.356{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040225Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:40.356{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040224Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:40.356{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040223Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:40.356{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040222Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:40.356{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040221Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:40.356{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040220Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:40.356{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040219Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:40.356{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040218Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:40.356{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040217Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:40.356{B81B27B7-28B0-6193-0500-00000000CC01}408424C:\Windows\system32\csrss.exe{B81B27B7-6410-619D-4934-01000000CC01}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059040216Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:40.339{B81B27B7-28B3-6193-2C00-00000000CC01}23323408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6410-619D-4934-01000000CC01}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059040215Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:40.339{B81B27B7-6410-619D-4934-01000000CC01}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-28B1-6193-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-28B3-6193-2C00-00000000CC01}2332C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059040214Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:40.339{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EC9E84D93FC84469A48629392B6C091,SHA256=617706297122549E7A883827D6672A718E133B57964362183455CAEAE4D2901C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000115825339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:03.792{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61963-false10.0.1.12-8000- 23542300x8000000000000000115825341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:58:41.859{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=213E09AF1B57EB4484D1AD300F6E3566,SHA256=6FB3215C7E77D2CCB6C28C95CD0BB6DC5B91642B2D36643EAA3A71A3FA5BD828,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000059040230Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:27.903{B81B27B7-28BE-6193-7E00-00000000CC01}5272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56855-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000059040229Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:41.354{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8CE058DE14010CFD6FBB0B788A6520B,SHA256=0B9638D0D29DC697614E03F4CFE2D84AFA7809262EAD014356C59CF8418CD07F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:58:42.877{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A807801B1C2C3F4F2B2C8641F69A95CB,SHA256=59130A82FD1E81F0CC81C3BBF72211DA0764F7D5B28A3EDC08D0827BBDE0B826,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040231Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:42.432{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF5B7D628663DCFD282373B425DB8462,SHA256=771BBBC70589E8988094BB4A83833C7F3187DAD218A1514AF9B82A93EB3E6EB4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:58:43.910{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A0FA7D94BE666897DB77C419125C1FE,SHA256=2E8F11FADD0369F176ED8C414496F2C64FCECC78F8CD23F9D42575019BBDC198,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040232Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:43.667{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9D673D26079DD41685998AA1748ADAD,SHA256=4964CC4AB0FA218EC508EDF20BF07EFF361676FEBFAF77D1C883FBBB04768AA1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:58:44.975{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86A20CE9AA0FB87F3434CF70B4BD340C,SHA256=313C23889DAAF7628DBB8F44A70E9EE1F7265F4E7F38DE1EC5107CC057001BD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:58:44.974{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C1425E773087E1F10B12ED22F1F9B2A,SHA256=BF8857DC6CEB992BC008B2CF2473D70430624FA32547022F07015F1C4EFFD39E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:58:44.924{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32449E35C7151F715D115F257E889906,SHA256=D5860826B2DD41A7A619F48FE6B376C761485D538AF52E32E0F6F082ABEF6B80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040233Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:44.698{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD2DDE3A03EA1B4254220EC06DCA4553,SHA256=3D8059CD1E7BA724367AEC6D8C1BD65518A1724D4541990267DDA6469A7C2903,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040234Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:45.885{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=331DDA525644D5734988AE4AD2B4EF49,SHA256=9CB066B5E76CF5B25969BA6488064614137143F62DD107251A1E43266EDB88A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:58:45.939{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BBA2C7DC5D285ED005593854B4A7AD5,SHA256=C1C46BFB808560440970E56760D6D4946674BDB96933CCFA41AA4E82FBEABC04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:58:46.953{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07A6916B29E76EB62706CC75350FDBEA,SHA256=34FC4BF53EC4D927570D47C670A5E5AC4C16A05481E11B3F5822C63B6B6ED735,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000115825350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:58:46.853{3BF36828-47A9-619D-74CA-02000000CC01}7544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\diasymreader.dll14.8.3761.0 built by: NET48REL1Dia based SymReaderMicrosoft® .NET FrameworkMicrosoft Corporationdiasymreader.dllMD5=83673A2EC60EF42E8B88D3EE2763437C,SHA256=1F4A8B06F0DCB87F684EFE81FAB704C739C79B188A2C373D6B7ACB148AB4CFF6,IMPHASH=291B64B0984CCD3A091CF75D2A111D5DtrueMicrosoft CorporationValid 10341000x8000000000000000115825349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:58:46.875{3BF36828-9799-6185-1400-00000000CC01}10561612C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000115825348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:09.754{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61964-false10.0.1.12-8000- 23542300x8000000000000000115825353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:58:47.954{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B640620E2F6738A3806FC928EE9B5CD,SHA256=47949A695C68ED1A1697D161DA0AA58906E9B59F0A6FA2D521D39F1C5656DE01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000059040236Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:33.934{B81B27B7-28BE-6193-7E00-00000000CC01}5272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56856-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000059040235Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:47.104{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C04BCBE8B3968BD18F6F47BD94C590B,SHA256=00B20DC3EE3C78D291D4ED8318D7ADEFA13FD1DB01C7810F55282221C4E0F9C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:58:47.854{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CEAE6D1E1F490E2C24A40E730F5BEA71,SHA256=CEBDE0F947EABA63B64CFBFA31D831963D30B7734E0C2DA7521A5D99745F3E81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:58:48.970{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=097FDB26CF5B4F9234DFEE7E9B615A11,SHA256=3C645DBCAE825ECA651058BFA9F2F584453107694CCAEFF7B79EEBACD682D3C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000059040265Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:35.375{B81B27B7-28AE-6193-0100-00000000CC01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255ip-10-0-1-255.us-west-2.compute.internal138netbios-dgmfalse10.0.1.15win-host-987.attackrange.local138netbios-dgm 354300x800000000000000059040264Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:35.375{B81B27B7-28AE-6193-0100-00000000CC01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-987.attackrange.local138netbios-dgmfalse10.0.1.255ip-10-0-1-255.us-west-2.compute.internal138netbios-dgm 10341000x800000000000000059040263Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:48.948{B81B27B7-28B1-6193-0E00-00000000CC01}824844C:\Windows\system32\svchost.exe{B81B27B7-28BC-6193-7600-00000000CC01}4688C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040262Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:48.948{B81B27B7-28B1-6193-0E00-00000000CC01}824844C:\Windows\system32\svchost.exe{B81B27B7-28BC-6193-7600-00000000CC01}4688C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040261Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:48.948{B81B27B7-28B1-6193-0E00-00000000CC01}824844C:\Windows\system32\svchost.exe{B81B27B7-28BC-6193-7600-00000000CC01}4688C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040260Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:48.948{B81B27B7-28B1-6193-0E00-00000000CC01}824844C:\Windows\system32\svchost.exe{B81B27B7-28BC-6193-7600-00000000CC01}4688C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040259Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:48.948{B81B27B7-28B1-6193-0E00-00000000CC01}824844C:\Windows\system32\svchost.exe{B81B27B7-28BC-6193-7600-00000000CC01}4688C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040258Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:48.948{B81B27B7-28B1-6193-0E00-00000000CC01}824844C:\Windows\system32\svchost.exe{B81B27B7-28BC-6193-7600-00000000CC01}4688C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040257Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:48.948{B81B27B7-28B1-6193-0E00-00000000CC01}824844C:\Windows\system32\svchost.exe{B81B27B7-28BC-6193-7600-00000000CC01}4688C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040256Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:48.948{B81B27B7-28B1-6193-0E00-00000000CC01}824844C:\Windows\system32\svchost.exe{B81B27B7-28BC-6193-7600-00000000CC01}4688C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040255Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:48.948{B81B27B7-28B1-6193-0E00-00000000CC01}824844C:\Windows\system32\svchost.exe{B81B27B7-28BC-6193-7600-00000000CC01}4688C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040254Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:48.948{B81B27B7-28B1-6193-0E00-00000000CC01}824844C:\Windows\system32\svchost.exe{B81B27B7-28BB-6193-7500-00000000CC01}3804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040253Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:48.948{B81B27B7-28B1-6193-0E00-00000000CC01}824844C:\Windows\system32\svchost.exe{B81B27B7-28BB-6193-7500-00000000CC01}3804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040252Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:48.948{B81B27B7-28B1-6193-0E00-00000000CC01}824844C:\Windows\system32\svchost.exe{B81B27B7-28BB-6193-7500-00000000CC01}3804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040251Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:48.948{B81B27B7-28B1-6193-0E00-00000000CC01}824844C:\Windows\system32\svchost.exe{B81B27B7-28BB-6193-7500-00000000CC01}3804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040250Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:48.948{B81B27B7-28B1-6193-0E00-00000000CC01}824844C:\Windows\system32\svchost.exe{B81B27B7-28BB-6193-7500-00000000CC01}3804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040249Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:48.948{B81B27B7-28B1-6193-0E00-00000000CC01}824844C:\Windows\system32\svchost.exe{B81B27B7-28BB-6193-7500-00000000CC01}3804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040248Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:48.948{B81B27B7-28B1-6193-0E00-00000000CC01}824844C:\Windows\system32\svchost.exe{B81B27B7-28BB-6193-7500-00000000CC01}3804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040247Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:48.948{B81B27B7-28B1-6193-0E00-00000000CC01}824844C:\Windows\system32\svchost.exe{B81B27B7-28BB-6193-7500-00000000CC01}3804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040246Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:48.948{B81B27B7-28B1-6193-0E00-00000000CC01}824844C:\Windows\system32\svchost.exe{B81B27B7-28BB-6193-7500-00000000CC01}3804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040245Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:48.948{B81B27B7-28B1-6193-0E00-00000000CC01}824844C:\Windows\system32\svchost.exe{B81B27B7-28BB-6193-7500-00000000CC01}3804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040244Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:48.948{B81B27B7-28B1-6193-0E00-00000000CC01}824844C:\Windows\system32\svchost.exe{B81B27B7-28BB-6193-7500-00000000CC01}3804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040243Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:48.948{B81B27B7-28B1-6193-0E00-00000000CC01}824844C:\Windows\system32\svchost.exe{B81B27B7-28BB-6193-7500-00000000CC01}3804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040242Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:48.948{B81B27B7-28B1-6193-0E00-00000000CC01}824844C:\Windows\system32\svchost.exe{B81B27B7-28BB-6193-7500-00000000CC01}3804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040241Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:48.948{B81B27B7-28B1-6193-0E00-00000000CC01}824844C:\Windows\system32\svchost.exe{B81B27B7-28BB-6193-7500-00000000CC01}3804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040240Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:48.948{B81B27B7-28B1-6193-0E00-00000000CC01}824844C:\Windows\system32\svchost.exe{B81B27B7-28BC-6193-7700-00000000CC01}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040239Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:48.948{B81B27B7-28B1-6193-0E00-00000000CC01}824844C:\Windows\system32\svchost.exe{B81B27B7-28BC-6193-7700-00000000CC01}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040238Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:48.948{B81B27B7-28B1-6193-0E00-00000000CC01}824844C:\Windows\system32\svchost.exe{B81B27B7-28BC-6193-7700-00000000CC01}4860C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000059040237Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:48.307{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D34E1B3BA60F308036FC6AE6FD34C54,SHA256=01890066EA8FC688B1370CAA6D4D9F880A5C756DEE321D19F905BF9279A855EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:58:49.992{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E653C446EBE40F807E86078BFA8903EA,SHA256=0FE6C04C1767F2BF155E27A40DD12350742F9B254B6E7322912AF200DB14A4CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040266Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:49.448{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01320C646F996D940E16C70EA53CE184,SHA256=8F6B0B3F71B9D523712F9E79F4867F31C77812A03A957DE9992CCDD0BBC0F1A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040267Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:50.667{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FECF8DA00A27FC43F816D660A049B2D,SHA256=7F05E349B936514BAE46C943E7606682D5D1294E83562FA0C57759DAB5F5DF5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040268Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:51.854{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD55A1CAFBCA10BECB101383773224CF,SHA256=07319BB875D4CA31A2CD2E440D9B94BA1E8186D2BB3DFE981534D296ABBCE2E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000115825359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:15.631{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61965-false10.0.1.12-8000- 23542300x8000000000000000115825358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:58:51.122{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB5CFA83446AB19E5DC61C15E66FCEDF,SHA256=7566B8C6895EF0B3B7E2B6DACB2602B419BEF503EABF1B1EDCAAB01759D968DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:58:51.122{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86A20CE9AA0FB87F3434CF70B4BD340C,SHA256=313C23889DAAF7628DBB8F44A70E9EE1F7265F4E7F38DE1EC5107CC057001BD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:58:51.022{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF556477CBC48119FEDCFD689B807D0,SHA256=BAA00EB73EBBF9F5CD98C0A1BF92A20AB1697CA403181981548F2AC37D492489,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:58:52.052{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B0EA3C2A38083BD94CB24393F5988E9,SHA256=AE9D53C61B97DA5D29402E7BEAD37E4249098789267720AFCC1E20A5BB258993,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000059040270Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:38.949{B81B27B7-28BE-6193-7E00-00000000CC01}5272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56857-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000059040269Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:53.089{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84AE8751B5111055670E3BDAF37500C2,SHA256=F80F07CE220BCFA2BAE5198F2F9893EED0288D863E75C1D248F4B3764C281252,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:58:53.088{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=049DBB353E920CD4ACE9FE9C2A96C81E,SHA256=849AD6FF3810E1BC0768722C543DBD4C65E816594B95E2DB151D3A00348AC1CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040271Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:54.307{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D5CA9C1A7EBCCD63BF5EF76590E37A9,SHA256=26010AF6D30BAA5FF1398169D4269D42D31883A610ED45952A3EDEAE9EE56DD2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:58:54.119{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A21240E7D47DFD808068F5B08E8077B7,SHA256=AC0FE0D7B97F19D7D2858DFEF3FD311F0998B47FB946498D30D2733010202A91,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040272Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:55.339{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75C1926533C01E737216BE39BF23ED76,SHA256=FCCDB8E0E5F29DF4D3F3DC1A0C3C401375A125A14D1904667FE75529BF20332D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:58:55.149{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6A5E8277DC10B81D99879159AEA2096,SHA256=EA0FA72763FAB299A8FDF2653E036C7FC24CF94545B2B704B63BDC9EBFD45DDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040275Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:56.823{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D83734AD64B5A201C56904778EF128C,SHA256=2BDBBE04BEA20E28D61D9ED9CBE6A32114455857731DAC3B33AE8CE5AF908FBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040274Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:56.823{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E61821818190957448FD4D2A1ECEE763,SHA256=D1F1547A29EA1FA6C84C5BDA30F29EC395028C0D529AFB64747B3FC1A7674F25,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040273Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:56.432{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F83D20A6362725EF421BC8B131C2708,SHA256=4FCDFBB32E002D69542AD656A0FEA568C823B67C349DF6706DC369FB17BD01BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:58:56.832{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE8405C984BD2073985A696D214FFC8E,SHA256=F7B7E28136A57B26BC42BDA1B5F95456C00A5846E8987C72F11A757EA72D3B7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:58:56.832{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB5CFA83446AB19E5DC61C15E66FCEDF,SHA256=7566B8C6895EF0B3B7E2B6DACB2602B419BEF503EABF1B1EDCAAB01759D968DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:58:56.165{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B105D2E4F5077CB6E7320DCF5CB798A1,SHA256=FB9D563460AF47ACAD20C4AF17CF27D58963DDB0EC2599A999B21FC54D7119E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000059040278Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:43.508{B81B27B7-28B1-6193-0C00-00000000CC01}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56858-false10.0.1.14-49672- 354300x800000000000000059040277Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:43.506{B81B27B7-28B1-6193-0E00-00000000CC01}824C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.14-61966-false10.0.1.15win-host-987.attackrange.local135epmap 23542300x800000000000000059040276Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:57.448{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=805E5843BB9FC95161247360DDCD9DB6,SHA256=6BDC5D657F3682BB47CDD93411A1A7BE307F0C15025820628B1C69366381D51E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000115825370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:21.662{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61967-false10.0.1.12-8000- 354300x8000000000000000115825369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:21.349{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal56858-false10.0.1.14win-dc-128.attackrange.local49672- 354300x8000000000000000115825368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:21.347{3BF36828-9799-6185-0D00-00000000CC01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-128.attackrange.local61966-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal135epmap 23542300x8000000000000000115825367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:58:57.200{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE03DAB86FDFD47286A5889E8E8645CD,SHA256=F31D058D362256EB7B34E3327EADEFD887A6BAF1B7F4B18BF953A2D198147B1D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000059040280Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:44.824{B81B27B7-28BE-6193-7E00-00000000CC01}5272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56859-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000059040279Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:58.464{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=758BE9EFF9DAC1D3F351F626A4505862,SHA256=BBF6C986C482C24BAD90D896F4BA3FBE46487141BF403B80F87869E088B2C134,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:58:58.238{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE8405C984BD2073985A696D214FFC8E,SHA256=F7B7E28136A57B26BC42BDA1B5F95456C00A5846E8987C72F11A757EA72D3B7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:58:58.206{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAF316DDC37F297DD5D8023B999FDB92,SHA256=021EF73C0352D08D297C1DB81B5007BA25B5B5C4B10CA079ABE5BDEE19AF7897,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000115825371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:58:58.050{3BF36828-47AA-619D-75CA-02000000CC01}4444C:\Windows\System32\conhost.exeC:\Windows\System32\console.dll10.0.14393.4169 (rs1_release.210107-1130)Control Panel Console AppletMicrosoft® Windows® Operating SystemMicrosoft CorporationCONSOLE.DLLMD5=B4FA6EA67B74613625E80BC35EAEF78E,SHA256=E9F9FB362B9AAD29300367E338E9CF123ADD019519D9A94288265CEB3624A9B8,IMPHASH=2FC254EE7284D720BD50F4612F0840A6trueMicrosoft WindowsValid 23542300x800000000000000059040281Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:59.464{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EC16B8D94EF7922190A69C709A0DDC8,SHA256=CB3BCBA34AA40C4DE4719DBF525B4ABCD078BCF5A54A2489887099C227840B02,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:58:59.970{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFF1F44328D996E2DA191AF92B7649CA,SHA256=ADC821F4C000C5B2E13CFE9DA0BA8899A407C68CCDBB4EBD53EFDD4597BD8C3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:58:59.221{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A46CCC80BAA5F022AD498652A0B50A0F,SHA256=636368C5765149438E04465CC8F6E0896226B9C6090F8B2E52A4B9A2D5B14E69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040282Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:00.479{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58DD54842FF8E070CC142C99BF3DC193,SHA256=CDC971DEEEE1B0F59815392C3011266189B048C3670740AB5B8CA3CB3DF8AEB8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:00.225{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DB371C6AA965C82B6EFDD019EB49F18,SHA256=DB9C2EBC5B4008AD05545E428345BF0E0F116CA64B631698342335BCF5248DA9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040284Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:01.979{B81B27B7-28B3-6193-2C00-00000000CC01}2332NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040283Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:01.495{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04B898EB182550A4BEDA59A9E5830ECF,SHA256=D70FD5CF171DB8A6F0A93C22017BCF5645003E0B4D94DCB9DCA8054E11150D33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:01.240{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6FDEF36AC86BDA0431B457E8841AFBA,SHA256=EDF2B40D4E375B7FCD032204A0A646739FCBE40A5E509139DC2F28970C9C3595,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040285Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:02.511{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E032CADFFCD43B55C5EE0FFE915FFB2,SHA256=7BD90B48D46AEFE72D507FF114BF49CD8809576C18B0BD9FF8600298C78F3895,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000115825381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:02.708{3BF36828-D71A-619B-E89E-02000000CC01}53247900C:\Windows\explorer.exe{3BF36828-8A4E-6195-DEE0-01000000CC01}3124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a56d0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF800744DA8C8)|UNKNOWN(FFFF9FA7F34B4A68)|UNKNOWN(FFFF9FA7F34B4BE7)|UNKNOWN(FFFF9FA7F34AF271)|UNKNOWN(FFFF9FA7F34B0C3A)|UNKNOWN(FFFF9FA7F34AEEF6)|UNKNOWN(FFFFF800741F1E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a8f2b|C:\Windows\System32\SHELL32.dll+6a98a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000115825380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:02.708{3BF36828-D71A-619B-E89E-02000000CC01}53247900C:\Windows\explorer.exe{3BF36828-8A4E-6195-DEE0-01000000CC01}3124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a51b1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF800744DA8C8)|UNKNOWN(FFFF9FA7F34B4A68)|UNKNOWN(FFFF9FA7F34B4BE7)|UNKNOWN(FFFF9FA7F34AF271)|UNKNOWN(FFFF9FA7F34B0C3A)|UNKNOWN(FFFF9FA7F34AEEF6)|UNKNOWN(FFFFF800741F1E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a8f2b|C:\Windows\System32\SHELL32.dll+6a98a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000115825379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:02.708{3BF36828-8A4E-6195-DEE0-01000000CC01}3124ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF5cf78b88.TMPMD5=D213798EE93565EF2CA882F8ABF63BB1,SHA256=25BA1F8912A6BCB73C4607976DB10447EE3AED6F4B3EC8B11349F03BDC26BFC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:02.255{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70DEA7A52645812E52D00B4FF3526EE5,SHA256=B5EDED0BDB8AA9B0187E58C9313AA6E7EE7EA27AFBD7A428BA8B1741805F23E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000059040287Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:49.684{B81B27B7-28B3-6193-2C00-00000000CC01}2332C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56860-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000059040286Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:03.526{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CB95AF5452DBA2BAE81E6193FC72612,SHA256=2F3BA7CB6ED1423AF6698360FB5538AB2D193CA7D27CF4F58BA864022B5A4E84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000115825401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:27.632{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61968-false10.0.1.12-8000- 23542300x8000000000000000115825400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:03.424{3BF36828-8A4E-6195-DEE0-01000000CC01}3124ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\v9017qz8.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:03.424{3BF36828-8A4E-6195-DEE0-01000000CC01}3124ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\v9017qz8.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=9BA51800CC294750A80F87C7BCD6558F,SHA256=43983CAE2247076C8272BEB651B088785A66E885D186E1DADDED3E035B2A0E3B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:03.294{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97FA4711E0608320FAA6D9B521FAF21B,SHA256=70F91163A5EF36EB1A0D135C6ADF2DEAB8AC9DBA4523E8A8811B42763E39C635,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000115825397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:03.155{3BF36828-47AA-619D-75CA-02000000CC01}44446528C:\Windows\system32\conhost.exe{3BF36828-D71A-619B-E89E-02000000CC01}5324C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a47|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbec2|C:\Windows\System32\windows.storage.dll+3d957b|C:\Windows\system32\console.dll+b26f|C:\Windows\system32\console.dll+19a3|C:\Windows\system32\console.dll+3f8e|C:\Windows\system32\console.dll+638e|C:\Windows\SYSTEM32\ConhostV2.dll+24386|C:\Windows\SYSTEM32\ConhostV2.dll+1590b|C:\Windows\SYSTEM32\ConhostV2.dll+90fd|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\ConhostV2.dll+2e7a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:03.155{3BF36828-47AA-619D-75CA-02000000CC01}44446528C:\Windows\system32\conhost.exe{3BF36828-D71A-619B-E89E-02000000CC01}5324C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419b2|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbec2|C:\Windows\System32\windows.storage.dll+3d957b|C:\Windows\system32\console.dll+b26f|C:\Windows\system32\console.dll+19a3|C:\Windows\system32\console.dll+3f8e|C:\Windows\system32\console.dll+638e|C:\Windows\SYSTEM32\ConhostV2.dll+24386|C:\Windows\SYSTEM32\ConhostV2.dll+1590b|C:\Windows\SYSTEM32\ConhostV2.dll+90fd|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\ConhostV2.dll+2e7a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:03.155{3BF36828-47AA-619D-75CA-02000000CC01}44446528C:\Windows\system32\conhost.exe{3BF36828-D71A-619B-E89E-02000000CC01}5324C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbec2|C:\Windows\System32\windows.storage.dll+3d957b|C:\Windows\system32\console.dll+b26f|C:\Windows\system32\console.dll+19a3|C:\Windows\system32\console.dll+3f8e|C:\Windows\system32\console.dll+638e|C:\Windows\SYSTEM32\ConhostV2.dll+24386|C:\Windows\SYSTEM32\ConhostV2.dll+1590b|C:\Windows\SYSTEM32\ConhostV2.dll+90fd|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\ConhostV2.dll+2e7a|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000115825394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:03.155{3BF36828-47AA-619D-75CA-02000000CC01}44446528C:\Windows\system32\conhost.exe{3BF36828-D71A-619B-E89E-02000000CC01}5324C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbec2|C:\Windows\System32\windows.storage.dll+3d957b|C:\Windows\system32\console.dll+b26f|C:\Windows\system32\console.dll+19a3|C:\Windows\system32\console.dll+3f8e|C:\Windows\system32\console.dll+638e|C:\Windows\SYSTEM32\ConhostV2.dll+24386|C:\Windows\SYSTEM32\ConhostV2.dll+1590b|C:\Windows\SYSTEM32\ConhostV2.dll+90fd|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\ConhostV2.dll+2e7a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:03.155{3BF36828-47AA-619D-75CA-02000000CC01}44446528C:\Windows\system32\conhost.exe{3BF36828-D71A-619B-E89E-02000000CC01}5324C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a47|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbeb0|C:\Windows\System32\windows.storage.dll+3d957b|C:\Windows\system32\console.dll+b26f|C:\Windows\system32\console.dll+19a3|C:\Windows\system32\console.dll+3f8e|C:\Windows\system32\console.dll+638e|C:\Windows\SYSTEM32\ConhostV2.dll+24386|C:\Windows\SYSTEM32\ConhostV2.dll+1590b|C:\Windows\SYSTEM32\ConhostV2.dll+90fd|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\ConhostV2.dll+2e7a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:03.155{3BF36828-47AA-619D-75CA-02000000CC01}44446528C:\Windows\system32\conhost.exe{3BF36828-D71A-619B-E89E-02000000CC01}5324C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419b2|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbeb0|C:\Windows\System32\windows.storage.dll+3d957b|C:\Windows\system32\console.dll+b26f|C:\Windows\system32\console.dll+19a3|C:\Windows\system32\console.dll+3f8e|C:\Windows\system32\console.dll+638e|C:\Windows\SYSTEM32\ConhostV2.dll+24386|C:\Windows\SYSTEM32\ConhostV2.dll+1590b|C:\Windows\SYSTEM32\ConhostV2.dll+90fd|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\ConhostV2.dll+2e7a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:03.155{3BF36828-47AA-619D-75CA-02000000CC01}44446528C:\Windows\system32\conhost.exe{3BF36828-D71A-619B-E89E-02000000CC01}5324C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbeb0|C:\Windows\System32\windows.storage.dll+3d957b|C:\Windows\system32\console.dll+b26f|C:\Windows\system32\console.dll+19a3|C:\Windows\system32\console.dll+3f8e|C:\Windows\system32\console.dll+638e|C:\Windows\SYSTEM32\ConhostV2.dll+24386|C:\Windows\SYSTEM32\ConhostV2.dll+1590b|C:\Windows\SYSTEM32\ConhostV2.dll+90fd|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\ConhostV2.dll+2e7a|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000115825390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:03.155{3BF36828-47AA-619D-75CA-02000000CC01}44446528C:\Windows\system32\conhost.exe{3BF36828-D71A-619B-E89E-02000000CC01}5324C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+3dbeb0|C:\Windows\System32\windows.storage.dll+3d957b|C:\Windows\system32\console.dll+b26f|C:\Windows\system32\console.dll+19a3|C:\Windows\system32\console.dll+3f8e|C:\Windows\system32\console.dll+638e|C:\Windows\SYSTEM32\ConhostV2.dll+24386|C:\Windows\SYSTEM32\ConhostV2.dll+1590b|C:\Windows\SYSTEM32\ConhostV2.dll+90fd|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\ConhostV2.dll+2e7a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:03.155{3BF36828-47AA-619D-75CA-02000000CC01}44446528C:\Windows\system32\conhost.exe{3BF36828-D71A-619B-E89E-02000000CC01}5324C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+171006|C:\Windows\System32\windows.storage.dll+1412cc|C:\Windows\System32\windows.storage.dll+1410a8|C:\Windows\System32\windows.storage.dll+3dbeb0|C:\Windows\System32\windows.storage.dll+3d957b|C:\Windows\system32\console.dll+b26f|C:\Windows\system32\console.dll+19a3|C:\Windows\system32\console.dll+3f8e|C:\Windows\system32\console.dll+638e|C:\Windows\SYSTEM32\ConhostV2.dll+24386|C:\Windows\SYSTEM32\ConhostV2.dll+1590b|C:\Windows\SYSTEM32\ConhostV2.dll+90fd|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\ConhostV2.dll+2e7a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:03.155{3BF36828-47AA-619D-75CA-02000000CC01}44446528C:\Windows\system32\conhost.exe{3BF36828-D71A-619B-E89E-02000000CC01}5324C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+170ff4|C:\Windows\System32\windows.storage.dll+1412cc|C:\Windows\System32\windows.storage.dll+1410a8|C:\Windows\System32\windows.storage.dll+3dbeb0|C:\Windows\System32\windows.storage.dll+3d957b|C:\Windows\system32\console.dll+b26f|C:\Windows\system32\console.dll+19a3|C:\Windows\system32\console.dll+3f8e|C:\Windows\system32\console.dll+638e|C:\Windows\SYSTEM32\ConhostV2.dll+24386|C:\Windows\SYSTEM32\ConhostV2.dll+1590b|C:\Windows\SYSTEM32\ConhostV2.dll+90fd|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\ConhostV2.dll+2e7a|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000115825387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:03.155{3BF36828-47AA-619D-75CA-02000000CC01}44446528C:\Windows\system32\conhost.exe{3BF36828-D71A-619B-E89E-02000000CC01}5324C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+170ff4|C:\Windows\System32\windows.storage.dll+1412cc|C:\Windows\System32\windows.storage.dll+1410a8|C:\Windows\System32\windows.storage.dll+3dbeb0|C:\Windows\System32\windows.storage.dll+3d957b|C:\Windows\system32\console.dll+b26f|C:\Windows\system32\console.dll+19a3|C:\Windows\system32\console.dll+3f8e|C:\Windows\system32\console.dll+638e|C:\Windows\SYSTEM32\ConhostV2.dll+24386|C:\Windows\SYSTEM32\ConhostV2.dll+1590b|C:\Windows\SYSTEM32\ConhostV2.dll+90fd|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\ConhostV2.dll+2e7a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000115825386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localT10232021-11-23 21:59:03.155{3BF36828-47AA-619D-75CA-02000000CC01}4444C:\Windows\system32\conhost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk2021-06-03 17:40:23.357 23542300x8000000000000000115825385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:03.155{3BF36828-47AA-619D-75CA-02000000CC01}4444ATTACKRANGE\AdministratorC:\Windows\system32\conhost.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnkMD5=C0BE19F80D148B348C3DE21AA3B5B7F4,SHA256=653BF59285BB4F514C0B95D3151C529D567863608177851D3FCE5946D272C4DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000115825384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:03.139{3BF36828-D71A-619B-E89E-02000000CC01}53243188C:\Windows\explorer.exe{3BF36828-47A9-619D-74CA-02000000CC01}7544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:03.139{3BF36828-D71A-619B-E89E-02000000CC01}53243188C:\Windows\explorer.exe{3BF36828-47A9-619D-74CA-02000000CC01}7544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000115825382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:03.093{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29C47F2CEC4DA5863951DB127B732F1B,SHA256=FC822789E1F40AEC6C91A619C99B0028C1E176DBD7F5549CAEAD3E530E265E0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000059040289Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:49.871{B81B27B7-28BE-6193-7E00-00000000CC01}5272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56861-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000059040288Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:04.531{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB2DD501C2C2EF9BF748A15D5ED1CBE7,SHA256=E66DEC908C03B813E81E576D0CE2CCD4401426B105E38466B9DDFA09E0DBB508,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:04.994{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D704BF2BEB992EDB489882DBDE6544D,SHA256=8B63F78E1576123687DF3B0ED4B2CE2C6D5F257C2A3FC4AE67F971923FF38BB8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:04.295{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=218E4C26FD4BFD5B619B0FFC978D1ECF,SHA256=78711ADEE63DAB05C5E13AED4BD83CEDC323F7E5F57808764D10751BAAF12242,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040290Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:05.546{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23C254A39DCCEED17116FA66D3881233,SHA256=96BCC78C111FC89BD3B05F1B56E8A72EA789C207DD14AD3343E8DC72A7D4FF51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:05.325{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AB6A9628ED8A278791C883C3EE9B37B,SHA256=6B56AB395041C46098BF814F9268EFE4F7ECB5DBD28F6F4B7001BECA5B674E08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040291Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:06.546{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B97670B81264F4200B799A529D273D06,SHA256=F7D9B594511A4DC197C649961C3D256F985B4025B955DDA479463323871C5B70,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:06.356{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29B09C1391039A37F7B2953392E8FD8B,SHA256=38AEA6E0828803A9F57E6C5A2B5A8245A9E6BE0E42FCC58CA40117AD6C0D5D5D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000115825408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:06.156{3BF36828-9799-6185-0C00-00000000CC01}8444904C:\Windows\system32\svchost.exe{3BF36828-D71B-619B-EB9E-02000000CC01}6156C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000115825407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:06.156{3BF36828-9799-6185-0C00-00000000CC01}8444904C:\Windows\system32\svchost.exe{3BF36828-D71B-619B-EA9E-02000000CC01}4372C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000115825406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:06.156{3BF36828-9799-6185-0C00-00000000CC01}844924C:\Windows\system32\svchost.exe{3BF36828-D71B-619B-EB9E-02000000CC01}6156C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000115825405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:06.156{3BF36828-9799-6185-0C00-00000000CC01}844924C:\Windows\system32\svchost.exe{3BF36828-D71B-619B-EA9E-02000000CC01}4372C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000059040292Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:07.562{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBF41B9D01BE22A467FA19F674AABFC8,SHA256=6C758D0B50CC83B8075F9EC25986A9BEF23C45F96C9F41CDF96F95926DE88030,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:07.423{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=259F10E1A15BCF811AAE20C3676FBE2D,SHA256=03C816AAFA544CAF8A546D80A5E270ABA30C7A0E15B56AD6967E8390F3CF2B2E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040296Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:08.812{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FA66A8B501969D87A6F63C843B4D56F,SHA256=531E8201062F2F444E8FBC171F9BA6109D0783422A2439A0EF6C583C2515DCC3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040295Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:08.812{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D83734AD64B5A201C56904778EF128C,SHA256=2BDBBE04BEA20E28D61D9ED9CBE6A32114455857731DAC3B33AE8CE5AF908FBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000059040294Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:58:54.969{B81B27B7-28BE-6193-7E00-00000000CC01}5272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56862-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000059040293Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:08.577{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4880368C6FA6F8B13FAC9690006A841D,SHA256=03D7CD81D2E21DA64EA74B40FB7630985F8E18A01AAD9D5BDDE26FF607448E9B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:08.453{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20A7CC79076C1C73CC9ACE04F811649D,SHA256=8BCBD7F31DFF1408F11EDF41D987F171AF45D5CB57A4C28233A65BECA67A6782,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:08.191{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=147D6971D247685C1FCE21FF828BD900,SHA256=63C6813E2983E037735C91774F03025EA5251BACA1368E7C2F2BAA917ABF85FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040297Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:09.593{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=892AA8F24545BE23362E20E846344C08,SHA256=C6FA276579058C1C80B452C3E9B527E8481925DE6F2248D7C90B044A4B8716AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:09.872{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC73864FC4695BC1859BBB2310307321,SHA256=A7DDA4CE50BB05E2FFAD011D624835101DFE4F4981A16288F485F63542FA34FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:09.490{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67533F406FEF2E09A8159ABD6348352B,SHA256=847492B636AB731DC89F07A508323B81FE80652C3AED3A3316A236823518F993,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000115825413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:32.732{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61969-false10.0.1.12-8000- 23542300x800000000000000059040298Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:10.609{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB2FF2B1878203591524913E6A08A044,SHA256=7631744A858AC76623EF643C490B5EE6AA92DC0A2717382588B50722E0463533,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:10.536{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53A0381CFE7843DAE982234B0C3A42DE,SHA256=B687C859E224CB256FAF6A63C685F2491777B6B5E09BC300CE2965343813BD73,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040299Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:11.609{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33688AA75B0914D7CCBED13F57692098,SHA256=E4F3A5E5F1CC53B21904B8CFFE794CFDD5B579A2C57F0356E75DD873E4CAC887,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:11.541{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91895DDF26F7818D6EE4AE821658736F,SHA256=6DD9503D29980BB821DA6972DC3DDD5BCC08E0C4CA36D55473B7D330BBC030C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040300Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:12.624{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=536052EE998A14A69A4B62BF1E97D5C8,SHA256=84120CEE4CAE1D8EE85E77E4912A700FB60D3C890E8344A24DEC2176D0A4CBF1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:12.574{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBAE32B50668290B28BFD1B36D15DB85,SHA256=2975D0DE1CF6C39A39B77A2CD197909FC86E6A0B5F0ED6A6B8BF3DB374C47E2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040301Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:13.640{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33F9E79EA6ED6A2E3F340B2871902993,SHA256=31835A7CCCEEBC4DC56CDA808636462DB59EB9BA78DFC5FC4CED43B898B94D22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:13.577{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5144FA65D11686C421E38C0A3D03159,SHA256=6BA47F6377A456C2CF2AE1D68CF887C61FA41C9C9B80870811E88BD7DF6147CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000059040303Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:00.797{B81B27B7-28BE-6193-7E00-00000000CC01}5272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56863-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000059040302Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:14.640{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EC65F6B476633271A5748B6F5D29A6A,SHA256=19670945C6D7A2C613DD89B24ABC905241B39C47F1EFBCDAFBFD432816573275,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:14.596{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C6D21EC9E6F3A52D7E3B2FB3BF50984,SHA256=A9708DF2CAE8AAB1D329EFBA1A7C0F76959912DD266EDC271E147FE0DE7211DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:14.059{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A78CD14B3A38DFD72FB2CAE206FEEA36,SHA256=E1460788081B6E81E562750160A274B34E78BAD7E500FF2E9DC40F6FD79B9A4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040304Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:15.656{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=221FDAF491355555747D22B9121331A8,SHA256=63AD19AB518C620E3BBD3E34266959E4B41178020B057FC5C1090160FAB54131,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000115825428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:15.694{3BF36828-9799-6185-0C00-00000000CC01}844924C:\Windows\system32\svchost.exe{3BF36828-9799-6185-1300-00000000CC01}944C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:15.694{3BF36828-9799-6185-0C00-00000000CC01}844924C:\Windows\system32\svchost.exe{3BF36828-9799-6185-1300-00000000CC01}944C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:15.694{3BF36828-9799-6185-0C00-00000000CC01}844924C:\Windows\system32\svchost.exe{3BF36828-9799-6185-1300-00000000CC01}944C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:15.694{3BF36828-9799-6185-0C00-00000000CC01}844924C:\Windows\system32\svchost.exe{3BF36828-9799-6185-1300-00000000CC01}944C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:15.694{3BF36828-9799-6185-0C00-00000000CC01}844924C:\Windows\system32\svchost.exe{3BF36828-9799-6185-1300-00000000CC01}944C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000115825423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:15.626{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56BFA773B1B229057B59D77FD033A697,SHA256=D1C2EE5F94EB7D320EE329B89E257A6B012E606DB87CC767B27458ECB05EA4B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000115825422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:38.605{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61970-false10.0.1.12-8000- 23542300x8000000000000000115825430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:16.924{3BF36828-9799-6185-1100-00000000CC01}424NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=752E80D637110EE35B185CDD26699553,SHA256=4BBEA79CC85178CF83A3DC4CBBD3092FF63B1B17AB414378B2E5116786655A1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:16.656{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FE364F199EF595708FE2B117BCE398D,SHA256=17D57546F519DD0964A22450B13EE0D41233D3554C08FA966B12B5AEA2BE811C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040305Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:16.656{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD7E047D755542F922C4227C509CBF7C,SHA256=6B867DB7C97A0B65A0C649A471EFB72AA49D7FCB713C2AB1DA756A04A6CE711F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:17.676{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0F1442D2B75AE2146154518782F95D0,SHA256=4F140C3B85FC92F68006DAEAB71F08733328E5D30B4C523CC029C2401AF34573,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040306Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:17.671{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDA72CFC21F336F63CC23C499BAE498C,SHA256=56A0933E8B521AA5BF1560DC51990E6D6301C2187BE16401B5473C60163748EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040307Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:18.687{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51803AE86C22916139C30C5F05EE44B5,SHA256=6ACAA72EEA2326165FD69B1E2E0345031A05CE1F2BDDF302E1D56DA3E3DF0288,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:18.691{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D6FFD3A8734C7A1A5CD1A8ACA1CA180,SHA256=2AF9A21CDC8703518EE0569268C1F3367C7221CEF841A478BF05E119A2AB6F89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:18.607{3BF36828-989D-6185-BF00-00000000CC01}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040308Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:19.702{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2AE9B79715E1009143A290D1DD51B89,SHA256=549ACFE412828908923029AE91215ABAA31FBCB1453FEC3CD7E6D87555E3F188,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:19.721{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A44EEA95C34D76A32764CC85DF90BAD,SHA256=2BD52F51EC0A9399F37B36EB312F9CE8A2C2237F3F50702F37B7D35E03014120,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:19.572{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14EBDA7971605665552B466432971347,SHA256=BE16BD9474D7D559DDBCFD24174B281C3EE4ABA356892EFDECEE56B9642E243B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:19.571{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2C0C2A136DA80E7E70E55F46FCCFF70,SHA256=7D7A197D4B352B0FF01EAFF5C9D1C5D30539CB0B1EAD0E54C541152F66F37DC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:20.729{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF58B8D70F789739EAB97B0A49148CD9,SHA256=94DB722474D9A89677B15F30DB701EB61046A1F644EF7E987D9BBE1461A7E9FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000059040310Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:06.782{B81B27B7-28BE-6193-7E00-00000000CC01}5272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56864-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000059040309Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:20.718{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED81D5E3D1061422C1F089BBF81CFEB6,SHA256=85848AFECEE5EB767186FF65ABF00E08E36C389AF740015AC0F977CBB3EDF47D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000115825438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:44.599{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61972-false10.0.1.12-8000- 354300x8000000000000000115825437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:44.139{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61971-false10.0.1.12-8089- 23542300x8000000000000000115825440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:21.730{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D943FE4C8074CAE24884B24AEB665B2,SHA256=B3D0553C720A634989B10E5B4764B89F67ADAEAAB99EDF6318A39FB3CE8773C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040311Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:21.718{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48F8A2972145D4B2A746F6A4D8A39014,SHA256=667B1A7884EFBFCCD0ECE460DF3828D3A5DFAB38CAFB5B4280CA4DA091E48195,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040313Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:22.734{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BE586E767E508DC1BF2B546F84BF400,SHA256=AA07972626EC4AB2E3802F73730AF485D67A517C5A203C63F76FB1D7AD5971CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:22.731{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CD99205E71FF79AC3872EB6D00B5A9B,SHA256=6B2F9C1962265085AC42F3F0799ADE1012F61A519D1161B7408B799D95656EDF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040312Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:22.249{B81B27B7-28B2-6193-1300-00000000CC01}364NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D7DE81A085FF61B5712E544C53293FF1,SHA256=0FCE02188E1E3162EBE9A086B51BAB9758CB05C237F556F2A69AA2F567F29E16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040314Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:23.749{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B92DFE9AC546144974277E98713FA8A9,SHA256=9B16341EB270A6F94FF5B26987E9B17CD2868637A5568FE248292E27FC51BCB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:23.745{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3457F6E7A39522275E284B28F9FECDB7,SHA256=5399586CD4C07CAC1EF6B769EC0DD97A8C1E27BD0C16E0E364338B860F8A4748,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040315Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:24.755{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C81AC84D15B806B89D15559AFCA7A5B8,SHA256=39AED76BBEFE9E9B980B896FADB141BB3E944A168EB4B35E05DD0C886060FB9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:24.980{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77D3D7D9704D7EFC8BF3C3A123FE5454,SHA256=CBDF418E67F9705F9020A9C22160B45D16630A4F2DB8475BDC295A50AADCF6CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:24.978{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14EBDA7971605665552B466432971347,SHA256=BE16BD9474D7D559DDBCFD24174B281C3EE4ABA356892EFDECEE56B9642E243B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:24.878{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=197B1C60FBC040BAD470CD6434CDBC76,SHA256=B8A0D6AB2EE6F1A95764B40573AADF91FF5C6A8ED4E15B86F73D42F0383FF2D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:24.728{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A29B5783EF30E374CBD27974BD669509,SHA256=5444B4A8CDFCF65F024B71DD0C334CC7642DB2C863DA8454A52FFF86626A738B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000115825468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:24.344{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-D71B-619B-EA9E-02000000CC01}4372C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:24.344{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-D71B-619B-EA9E-02000000CC01}4372C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:24.344{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-D71B-619B-EA9E-02000000CC01}4372C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:24.344{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-D71B-619B-EA9E-02000000CC01}4372C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:24.344{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-D71B-619B-EA9E-02000000CC01}4372C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:24.344{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-D71B-619B-EA9E-02000000CC01}4372C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:24.344{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-D71B-619B-EA9E-02000000CC01}4372C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:24.344{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-D71B-619B-EB9E-02000000CC01}6156C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:24.344{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-D71B-619B-EB9E-02000000CC01}6156C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:24.344{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-D71B-619B-EB9E-02000000CC01}6156C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:24.344{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-D71A-619B-E89E-02000000CC01}5324C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:24.344{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-D71A-619B-E89E-02000000CC01}5324C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:24.344{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-D71A-619B-E89E-02000000CC01}5324C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:24.344{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-D71A-619B-E89E-02000000CC01}5324C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:24.344{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-D71A-619B-E89E-02000000CC01}5324C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:24.344{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-D71A-619B-E89E-02000000CC01}5324C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:24.344{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-D71A-619B-E89E-02000000CC01}5324C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:24.344{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-D71A-619B-E89E-02000000CC01}5324C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:24.344{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-D71A-619B-E89E-02000000CC01}5324C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:24.344{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-D71A-619B-E89E-02000000CC01}5324C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:24.344{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-D71A-619B-E89E-02000000CC01}5324C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:24.344{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-D71A-619B-E89E-02000000CC01}5324C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:24.344{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-D71A-619B-E89E-02000000CC01}5324C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:24.344{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-D71A-619B-E89E-02000000CC01}5324C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:24.344{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-D71A-619B-E89E-02000000CC01}5324C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:24.344{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-D71A-619B-E89E-02000000CC01}5324C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000115825473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:25.899{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E57AD459E7A8EECC41E261995D4EA3B4,SHA256=B42057DA526CF6DFC304DDBBD43783111791C254FB0FD8D5E6F03F8C46A29BFE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040316Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:25.770{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AA4E4717649F4650E7F80FCCD1DD3A1,SHA256=45A62CE316EDDCAB7B188CCAF3EAEB1B7CEB3F05814D2EDA6C0742F972E48692,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:26.945{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB0FDB520B69DFAE1DF99EDE71DD434B,SHA256=2DB61CAD7FA141FE4A9B9D085B257029943FFD7CE3B79FB2FF629029F5A4AAEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040317Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:26.786{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F8F2E3BB14C2C1B60B85B4DCEEC99E0,SHA256=7F0D16048FD2FF998D9904B7A20EF0EFED9659D6C0CEEEC80A4351BFB52A2A58,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000115825474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:49.659{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61973-false10.0.1.12-8000- 23542300x8000000000000000115825486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:27.946{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8699885D1CF2C00AC7EA6B92DFB92702,SHA256=AFBF51F1BBDD7CC6EE681DE8FC04E1C8CE7267C845DA117AAE519EA3D5A1C18E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000059040332Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:27.864{B81B27B7-28B4-6193-3100-00000000CC01}31203140C:\Windows\system32\conhost.exe{B81B27B7-643F-619D-4A34-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040331Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:27.864{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040330Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:27.864{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040329Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:27.864{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040328Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:27.864{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040327Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:27.864{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040326Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:27.864{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040325Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:27.864{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040324Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:27.864{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040323Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:27.864{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040322Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:27.864{B81B27B7-28B0-6193-0500-00000000CC01}408384C:\Windows\system32\csrss.exe{B81B27B7-643F-619D-4A34-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059040321Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:27.864{B81B27B7-28B3-6193-2C00-00000000CC01}23323408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-643F-619D-4A34-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059040320Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:27.849{B81B27B7-643F-619D-4A34-01000000CC01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-28B1-6193-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-28B3-6193-2C00-00000000CC01}2332C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059040319Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:27.802{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12D92F660D1ABC32AF0294F5BC421AAD,SHA256=7A0A17FDCB30E239BD3E546B7D1C2C9CBE66145608D9F0D813B5258D5BE7D721,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000115825485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-23 21:59:26.999{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000115825484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-23 21:59:26.999{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x5cf7ea71) 13241300x8000000000000000115825483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-23 21:59:26.999{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7e0ac-0xfff9d1fb) 13241300x8000000000000000115825482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-23 21:59:26.999{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7e0b5-0x61be39fb) 13241300x8000000000000000115825481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-23 21:59:26.999{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7e0bd-0xc382a1fb) 13241300x8000000000000000115825480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-23 21:59:26.999{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000115825479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-23 21:59:26.999{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x5cf7ea71) 13241300x8000000000000000115825478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-23 21:59:26.999{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7e0ac-0xfff9d1fb) 13241300x8000000000000000115825477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-23 21:59:26.999{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7e0b5-0x61be39fb) 13241300x8000000000000000115825476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-23 21:59:26.999{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7e0bd-0xc382a1fb) 354300x800000000000000059040318Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:11.881{B81B27B7-28BE-6193-7E00-00000000CC01}5272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56865-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000115825487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:28.960{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DC2D86530E61B5620CADCF789A9C7EB,SHA256=29991A3D2965D6630EB09C94940414549110324B704ECD5ABA655345E49C2CE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000059040346Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:28.708{B81B27B7-6440-619D-4B34-01000000CC01}59764116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-28B3-6193-2C00-00000000CC01}2332C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040345Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:28.552{B81B27B7-28B4-6193-3100-00000000CC01}31203140C:\Windows\system32\conhost.exe{B81B27B7-6440-619D-4B34-01000000CC01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040344Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:28.552{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040343Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:28.552{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040342Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:28.552{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040341Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:28.552{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040340Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:28.552{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040339Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:28.552{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040338Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:28.552{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040337Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:28.552{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040336Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:28.552{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040335Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:28.552{B81B27B7-28B0-6193-0500-00000000CC01}408528C:\Windows\system32\csrss.exe{B81B27B7-6440-619D-4B34-01000000CC01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059040334Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:28.536{B81B27B7-28B3-6193-2C00-00000000CC01}23323408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6440-619D-4B34-01000000CC01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059040333Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:28.537{B81B27B7-6440-619D-4B34-01000000CC01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-28B1-6193-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-28B3-6193-2C00-00000000CC01}2332C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000059040362Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:29.208{B81B27B7-28B4-6193-3100-00000000CC01}31203140C:\Windows\system32\conhost.exe{B81B27B7-6441-619D-4C34-01000000CC01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040361Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:29.208{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040360Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:29.208{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040359Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:29.208{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040358Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:29.208{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040357Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:29.208{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040356Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:29.208{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040355Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:29.208{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040354Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:29.208{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040353Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:29.208{B81B27B7-28B1-6193-0D00-00000000CC01}7521220C:\Windows\system32\svchost.exe{B81B27B7-28B3-6193-2B00-00000000CC01}2324C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040352Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:29.208{B81B27B7-28B0-6193-0500-00000000CC01}408384C:\Windows\system32\csrss.exe{B81B27B7-6441-619D-4C34-01000000CC01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059040351Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:29.208{B81B27B7-28B3-6193-2C00-00000000CC01}23323408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-6441-619D-4C34-01000000CC01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059040350Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:29.195{B81B27B7-6441-619D-4C34-01000000CC01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-28B1-6193-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-28B3-6193-2C00-00000000CC01}2332C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059040349Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:29.192{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9933B47FF47BBA54568E3B400F66079B,SHA256=EFE954881D81ACB2903598755C7CAAE7CC035EF0753E2456FBF3E2C98ABB1F84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040348Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:29.192{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B456752E0E7E9C7F33C4DAA948F112F,SHA256=862DC3D64D47B48A188B74DD272553626F16324342CAD0E5A08BCA624D736324,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040347Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:29.192{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FA66A8B501969D87A6F63C843B4D56F,SHA256=531E8201062F2F444E8FBC171F9BA6109D0783422A2439A0EF6C583C2515DCC3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040364Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:30.208{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC470FF44401CD85148056F09C1548A3,SHA256=CD954C887CF1A18EB23ABC38FDB2865C2486AB218678C030F0F81C29363969E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040363Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:30.208{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9933B47FF47BBA54568E3B400F66079B,SHA256=EFE954881D81ACB2903598755C7CAAE7CC035EF0753E2456FBF3E2C98ABB1F84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000115825491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:54.691{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61974-false10.0.1.12-8000- 23542300x8000000000000000115825490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:30.143{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C617E13B9EA6C1FAA6F392DF4392D9FA,SHA256=2720E0E748B045B78850275C6656A7308934DE6377CCCAA9CF0E27BB0CB8FDDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:30.143{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77D3D7D9704D7EFC8BF3C3A123FE5454,SHA256=CBDF418E67F9705F9020A9C22160B45D16630A4F2DB8475BDC295A50AADCF6CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:30.012{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7BB4B5C4F139A2150C5D1B40F751AC9,SHA256=697DED9F101C609E57C63D2D9E5EE3992040FCFF0DC2A3A2E9C3F90DA80A4ED3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040366Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:31.302{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5A26AF66C8C78950DE7A7A235448F90,SHA256=9F63D9B78C7270D53675CA4BAF3DEAA7237CE8A1C2AA456712E82C6383993854,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:31.027{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FA0AAF4481EEC39CD0553CCA43DD4A6,SHA256=B21A1FE3BD0B76A629FF99EEB1574A9F97FA44BBC7650EBC241A4B3CF1011FEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000059040365Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:16.912{B81B27B7-28BE-6193-7E00-00000000CC01}5272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56866-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000059040367Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:32.303{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=994980F3B15750CC14E932FCF70C4513,SHA256=0023FBF5B2533F6D45E026112FCC5546767EF0AE1BE92D05C4C29B6A25F79C8F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:32.041{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=447D94DA76DDCF48EE40E86F47F734FC,SHA256=6E96F04CC7515EAA1C729130AC7E5E7F6246BD8274A8EB7584E17D338B8D83C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040368Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:33.332{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB059B6143046957DB57FB01F3E28CD9,SHA256=04DBA94CFB9ACB8F6F96BDC88887AC83D4A0709271076DB52A759AD1E489F5F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000115825593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.992{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000115825592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.976{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000115825591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.976{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000115825590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.976{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000115825589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.976{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000115825588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.976{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000115825587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.976{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000115825586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.976{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000115825585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.976{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000115825584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.976{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000115825583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.976{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000115825582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.976{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000115825581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.976{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000115825580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.976{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000115825579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.976{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000115825578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.976{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000115825577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.976{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000115825576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.976{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000115825575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.976{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000115825574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.976{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000115825573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.976{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000115825572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.976{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000115825571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.976{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000115825570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.976{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000115825569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.976{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000115825568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.976{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000115825567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.976{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000115825566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.976{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000115825565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.976{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000115825564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.976{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000115825563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.976{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000115825562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.976{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000115825561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.975{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000115825560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.975{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000115825559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.974{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000115825558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.974{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000115825557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.973{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000115825556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.973{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000115825555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.973{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000115825554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.972{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000115825553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.972{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x8000000000000000115825552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.972{3BF36828-9799-6185-0C00-00000000CC01}8444904C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.972{3BF36828-9799-6185-0C00-00000000CC01}8444904C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.971{3BF36828-9799-6185-0C00-00000000CC01}8444904C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.971{3BF36828-9799-6185-0C00-00000000CC01}8444904C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.971{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000115825547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.971{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000115825546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.955{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000115825545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.439{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000115825544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.439{3BF36828-6445-619D-D4CD-02000000CC01}78687520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000115825543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.439{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000115825542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.439{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000115825541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.292{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000115825540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.292{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000115825539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.292{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000115825538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.292{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000115825537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.292{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000115825536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.292{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000115825535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.292{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000115825534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.292{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000115825533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.292{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000115825532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.292{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000115825531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.292{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000115825530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.292{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000115825529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.292{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000115825528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.292{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000115825527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.292{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000115825526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.292{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000115825525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.292{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000115825524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.292{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000115825523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.292{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000115825522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.292{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000115825521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.292{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000115825520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.292{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000115825519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.292{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000115825518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.292{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000115825517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.292{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000115825516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.292{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000115825515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.292{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000115825514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.292{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000115825513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.292{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000115825512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.292{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000115825511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.292{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000115825510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.292{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000115825509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.292{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000115825508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.292{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000115825507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.292{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000115825506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.277{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000115825505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.277{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000115825504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.277{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000115825503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.277{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000115825502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.277{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000115825501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.277{3BF36828-9799-6185-0C00-00000000CC01}8444904C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.277{3BF36828-9799-6185-0C00-00000000CC01}8444904C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.277{3BF36828-9799-6185-0C00-00000000CC01}8444904C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.277{3BF36828-9799-6185-0C00-00000000CC01}8444904C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.277{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000115825496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.277{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000115825495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.272{3BF36828-6445-619D-D4CD-02000000CC01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000115825494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:33.055{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CEB101AADD5A50C720A01D287B18E18,SHA256=3E71CB77C2909A3D075A99167B1C8054321475A5D5F0E1154C05AB3BB43C3DBF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000059040369Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:34.553{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5587F517611D1641AF72F2057F167EB,SHA256=F25738BD4A506FA95BF0FD3A031B8674C3B88A8A3423505BEC58406FE44E7721,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000115825650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.754{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000115825649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.754{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000115825648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.754{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000115825647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.622{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000115825646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.622{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000115825645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.622{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000115825644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.622{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000115825643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.622{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000115825642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.622{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000115825641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.622{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000115825640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.622{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000115825639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.607{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000115825638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.607{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000115825637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.607{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000115825636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.607{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000115825635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.607{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000115825634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.607{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000115825633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.607{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000115825632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.607{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000115825631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.607{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000115825630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.607{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000115825629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.607{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000115825628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.607{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000115825627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.607{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000115825626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.607{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000115825625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.607{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000115825624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.607{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000115825623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.607{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000115825622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.607{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000115825621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.607{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000115825620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.607{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000115825619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.607{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000115825618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.607{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000115825617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.607{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000115825616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.607{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000115825615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.607{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000115825614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.607{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000115825613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.607{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000115825612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.607{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000115825611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.607{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000115825610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.607{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000115825609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.607{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000115825608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.607{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000115825607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.607{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x8000000000000000115825606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.607{3BF36828-9799-6185-0C00-00000000CC01}8444904C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.607{3BF36828-9799-6185-0C00-00000000CC01}8444904C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.607{3BF36828-9799-6185-0C00-00000000CC01}8444904C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.607{3BF36828-9799-6185-0C00-00000000CC01}8444904C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.607{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000115825601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.607{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000115825600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.592{3BF36828-6446-619D-D6CD-02000000CC01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000115825599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.291{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C617E13B9EA6C1FAA6F392DF4392D9FA,SHA256=2720E0E748B045B78850275C6656A7308934DE6377CCCAA9CF0E27BB0CB8FDDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.191{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F799B1484EAA3D22CDFA266ED79FF632,SHA256=FB4E29D5AE8638BE07B0899667B2B9B405BD4133D856BED83BA315050B3316B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.172{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F1D78C0EE31C3775F3B52EA41449877,SHA256=590320374AB3EC20EF4F2776A857274D208DE9BA1712D86D6F2E3D9869DE0094,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000115825596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.123{3BF36828-6445-619D-D5CD-02000000CC01}7404956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000115825595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.123{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000115825594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:34.123{3BF36828-6445-619D-D5CD-02000000CC01}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000059040370Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:35.678{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7966623B3E71F57B425C0DD1E74E79B7,SHA256=2457E2AD8F831BEA5C7DD6C8C663FEC12D5F4CE4BBCFBFC68B4849BD43133E53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000115825745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.990{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000115825744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.990{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000115825743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.990{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000115825742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.990{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000115825741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.990{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000115825740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.990{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000115825739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.990{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000115825738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.990{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000115825737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.990{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000115825736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.990{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000115825735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.990{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000115825734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.990{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000115825733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.990{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000115825732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.990{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000115825731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.990{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000115825730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.990{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000115825729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.990{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000115825728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.990{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000115825727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.990{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000115825726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.990{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000115825725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.990{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000115825724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.990{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000115825723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.990{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000115825722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.990{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000115825721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.990{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000115825720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.990{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000115825719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.990{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000115825718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.974{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000115825717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.974{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000115825716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.974{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000115825715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.974{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000115825714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.974{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000115825713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.974{3BF36828-9799-6185-0C00-00000000CC01}8444904C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.974{3BF36828-9799-6185-0C00-00000000CC01}8444904C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.974{3BF36828-9799-6185-0C00-00000000CC01}8444904C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.974{3BF36828-9799-6185-0C00-00000000CC01}8444904C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.974{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000115825708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.974{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000115825707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.969{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000115825706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:59.715{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61975-false10.0.1.12-8000- 23542300x8000000000000000115825705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.690{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=49630A5BE8F81FD5B61CF180275DE447,SHA256=C4BE7C48C9922257807F71092F1811F29F5C8E44D6BC43EC72EFFE127C0996FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.674{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5792D535024C2103BF16C6F602ABC3D4,SHA256=99BB39E9EB90AE0BDBD647F1B5CBEC0602945FBDB6B629B59571D1DD116431BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000115825703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.437{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000115825702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.437{3BF36828-6447-619D-D7CD-02000000CC01}49526392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000115825701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.437{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000115825700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.437{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000115825699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.422{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A15CB33CE0F875C419A7D4470FE940E6,SHA256=4E4B2450A649444307662A2546DF3B5CC959434D33982FAE280469CEB53B0234,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000115825698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.306{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000115825697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.306{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000115825696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.306{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000115825695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.306{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000115825694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.306{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000115825693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.306{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000115825692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.306{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000115825691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.291{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000115825690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.291{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000115825689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.291{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000115825688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.291{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000115825687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.291{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000115825686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.291{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000115825685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.291{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000115825684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.291{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000115825683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.291{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000115825682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.291{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000115825681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.291{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000115825680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.291{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000115825679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.291{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000115825678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.291{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000115825677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.291{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000115825676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.291{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000115825675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.291{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000115825674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.291{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000115825673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.291{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000115825672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.291{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000115825671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.291{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000115825670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.291{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000115825669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.291{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000115825668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.291{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000115825667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.291{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000115825666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.291{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000115825665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.291{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000115825664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.291{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000115825663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.291{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000115825662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.291{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000115825661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.291{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000115825660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.291{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000115825659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.291{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000115825658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.291{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x8000000000000000115825657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.291{3BF36828-9799-6185-0C00-00000000CC01}8444904C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.291{3BF36828-9799-6185-0C00-00000000CC01}8444904C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.291{3BF36828-9799-6185-0C00-00000000CC01}8444904C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.291{3BF36828-9799-6185-0C00-00000000CC01}8444904C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.291{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000115825652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.291{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000115825651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.273{3BF36828-6447-619D-D7CD-02000000CC01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059040372Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:36.882{B81B27B7-28C5-6193-8A00-00000000CC01}5780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCBD0EEAE4E95A57C3066B2831281390,SHA256=A626F62C30321D70930EA557D7571C3966F32F27248F14C7D06D8657DD9A8FEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000115825817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.988{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E773D46728A5E438016F2CA55CFE2CB,SHA256=D916BBECEE3929CE4A71D83083A05F5596D40D9A8240D1DB557795A99DA9D9D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000115825816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.804{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000115825815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.804{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000115825814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.804{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000115825813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 22:00:00.999{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61976-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000115825812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 22:00:00.999{3BF36828-97A9-6185-2800-00000000CC01}2876C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61976-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 734700x8000000000000000115825811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.671{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000115825810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.671{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000115825809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.670{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000115825808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.669{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000115825807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.668{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000115825806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.668{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000115825805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.667{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000115825804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.667{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000115825803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000115825802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000115825801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000115825800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000115825799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000115825798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000115825797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000115825796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000115825795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000115825794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000115825793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000115825792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000115825791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000115825790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000115825789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000115825788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000115825787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000115825786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000115825785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000115825784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000115825783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000115825782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000115825781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000115825780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000115825779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000115825778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000115825777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000115825776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000115825775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000115825774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000115825773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000115825772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000115825771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000115825770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000115825769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000115825768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000115825767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x8000000000000000115825766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-9799-6185-0C00-00000000CC01}8444904C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-9799-6185-0C00-00000000CC01}8444904C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-9799-6185-0C00-00000000CC01}8444904C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-9799-6185-0C00-00000000CC01}8444904C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115825762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-9797-6185-0500-00000000CC01}420536C:\Windows\system32\csrss.exe{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000115825761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.651{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000115825760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.637{3BF36828-6448-619D-D9CD-02000000CC01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000115825759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.336{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED9AF96BEABB48304DDCC6CBC1ACA867,SHA256=63AD84C68186CBBF4360250AF77C2E054FD53EC9CDABCF8666B45F98020B6DD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000059040371Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-23 21:59:21.942{B81B27B7-28BE-6193-7E00-00000000CC01}5272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56867-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x8000000000000000115825758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.152{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000115825757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.152{3BF36828-6447-619D-D8CD-02000000CC01}55167480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000115825756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.152{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000115825755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.152{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000115825754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.121{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B64CC8F4112B9C0EC13B95F92C69BD6,SHA256=8BC7D6B7F79BDD3FC3C4B3689C7EB2807DE4EC56647050B7A6DA068174515B85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000115825753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.005{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000115825752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.005{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000115825751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:36.005{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000115825750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.990{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000115825749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.990{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000115825748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-23 21:59:35.990{3BF36828-6447-619D-D8CD-02000000CC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000